From 37306e689d0d3db9bf54bdea777a84fd2c683827 Mon Sep 17 00:00:00 2001
From: Bill Burke <bburke@redhat.com>
Date: Fri, 3 Apr 2015 14:04:19 -0400
Subject: [PATCH] initial Picketlink SAML fork

---
 broker/saml/pom.xml                           |    8 +
 .../keycloak/broker/saml/SAMLEndpoint.java    |   44 +-
 .../broker/saml/SAMLIdentityProvider.java     |    3 +-
 .../saml/SAMLIdentityProviderFactory.java     |   20 +-
 dependencies/server-all/pom.xml               |    7 +
 distribution/modules/build.xml                |    3 +
 .../keycloak-broker-saml/main/module.xml      |    3 +-
 .../keycloak-saml-core/main/module.xml        |   19 +
 .../keycloak-saml-protocol/main/module.xml    |    4 +-
 saml/saml-core/pom.xml                        |   17 +-
 .../dom/saml/common/CommonActionType.java     |   61 +
 .../dom/saml/common/CommonAdviceType.java     |   65 +
 .../dom/saml/common/CommonAssertionType.java  |   54 +
 .../dom/saml/common/CommonConditionsType.java |   70 +
 .../common/CommonRequestAbstractType.java     |   81 +
 .../dom/saml/common/CommonResponseType.java   |   99 +
 .../saml/common/CommonStatusDetailType.java   |   74 +
 .../saml/v1/assertion/SAML11ActionType.java   |   35 +
 .../saml/v1/assertion/SAML11AdviceType.java   |   33 +
 .../v1/assertion/SAML11AssertionType.java     |  124 +
 .../SAML11AttributeDesignatorType.java        |   48 +
 .../SAML11AttributeStatementType.java         |   55 +
 .../v1/assertion/SAML11AttributeType.java     |   58 +
 .../SAML11AudienceRestrictionCondition.java   |   55 +
 .../SAML11AuthenticationStatementType.java    |   84 +
 .../assertion/SAML11AuthorityBindingType.java |   58 +
 ...L11AuthorizationDecisionStatementType.java |   81 +
 .../SAML11ConditionAbstractType.java          |   29 +
 .../v1/assertion/SAML11ConditionType.java     |   27 +
 .../SAML11ConditionsAbstractType.java         |   29 +
 .../v1/assertion/SAML11ConditionsType.java    |   58 +
 .../saml/v1/assertion/SAML11DecisionType.java |   31 +
 .../SAML11DoNotCacheConditionType.java        |   27 +
 .../saml/v1/assertion/SAML11EvidenceType.java |   69 +
 .../assertion/SAML11NameIdentifierType.java   |   64 +
 .../SAML11StatementAbstractType.java          |   29 +
 .../v1/assertion/SAML11StatementType.java     |   27 +
 .../SAML11SubjectConfirmationType.java        |   76 +
 .../assertion/SAML11SubjectLocalityType.java  |   48 +
 .../assertion/SAML11SubjectStatementType.java |   49 +
 .../saml/v1/assertion/SAML11SubjectType.java  |   73 +
 .../v1/protocol/SAML11AttributeQueryType.java |   64 +
 .../SAML11AuthenticationQueryType.java        |   45 +
 .../SAML11AuthorizationDecisionQueryType.java |   77 +
 .../v1/protocol/SAML11QueryAbstractType.java  |   29 +
 .../protocol/SAML11RequestAbstractType.java   |   77 +
 .../saml/v1/protocol/SAML11RequestType.java   |   82 +
 .../protocol/SAML11ResponseAbstractType.java  |   67 +
 .../saml/v1/protocol/SAML11ResponseType.java  |   67 +
 .../v1/protocol/SAML11StatusCodeType.java     |   71 +
 .../saml/v1/protocol/SAML11StatusType.java    |   72 +
 .../SAML11SubjectQueryAbstractType.java       |   45 +
 .../org/keycloak/dom/saml/v2/SAML2Object.java |   28 +
 .../v2/ac/ActivationLimitDurationType.java    |   56 +
 .../v2/ac/ActivationLimitSessionType.java     |   39 +
 .../dom/saml/v2/ac/ActivationLimitType.java   |  120 +
 .../saml/v2/ac/ActivationLimitUsagesType.java |   76 +
 .../dom/saml/v2/ac/ActivationPinType.java     |  172 ++
 .../keycloak/dom/saml/v2/ac/AlphabetType.java |  117 +
 .../dom/saml/v2/ac/AuthenticatorBaseType.java |  132 +
 .../AuthenticatorTransportProtocolType.java   |  301 +++
 .../ac/AuthnContextDeclarationBaseType.java   |  223 ++
 .../dom/saml/v2/ac/AuthnMethodBaseType.java   |  152 ++
 .../keycloak/dom/saml/v2/ac/BooleanType.java  |   75 +
 .../saml/v2/ac/ComplexAuthenticatorType.java  |  133 +
 .../dom/saml/v2/ac/DeviceTypeType.java        |   75 +
 .../dom/saml/v2/ac/ExtensionOnlyType.java     |   88 +
 .../dom/saml/v2/ac/ExtensionType.java         |   89 +
 .../keycloak/dom/saml/v2/ac/Generation.java   |   87 +
 .../saml/v2/ac/GoverningAgreementRefType.java |   77 +
 .../saml/v2/ac/GoverningAgreementsType.java   |   88 +
 .../dom/saml/v2/ac/IdentificationType.java    |  174 ++
 .../dom/saml/v2/ac/KeyActivationType.java     |  109 +
 .../dom/saml/v2/ac/KeySharingType.java        |   71 +
 .../dom/saml/v2/ac/KeyStorageType.java        |   75 +
 .../keycloak/dom/saml/v2/ac/LengthType.java   |   99 +
 .../keycloak/dom/saml/v2/ac/MediumType.java   |   81 +
 .../org/keycloak/dom/saml/v2/ac/NymType.java  |   77 +
 .../saml/v2/ac/OperationalProtectionType.java |  130 +
 .../keycloak/dom/saml/v2/ac/PasswordType.java |  177 ++
 .../dom/saml/v2/ac/PhysicalVerification.java  |   87 +
 .../PrincipalAuthenticationMechanismType.java |  217 ++
 .../saml/v2/ac/PrivateKeyProtectionType.java  |  151 ++
 .../dom/saml/v2/ac/PublicKeyType.java         |  112 +
 .../dom/saml/v2/ac/RestrictedLengthType.java  |   60 +
 .../saml/v2/ac/RestrictedPasswordType.java    |   58 +
 .../saml/v2/ac/SecretKeyProtectionType.java   |  130 +
 .../dom/saml/v2/ac/SecurityAuditType.java     |  109 +
 .../ac/SharedSecretChallengeResponseType.java |  117 +
 .../v2/ac/TechnicalProtectionBaseType.java    |  132 +
 .../dom/saml/v2/ac/TimeSyncTokenType.java     |  118 +
 .../keycloak/dom/saml/v2/ac/TokenType.java    |  109 +
 .../classes/ActivationLimitDurationType.java  |   57 +
 .../classes/ActivationLimitSessionType.java   |   39 +
 .../v2/ac/classes/ActivationLimitType.java    |  102 +
 .../ac/classes/ActivationLimitUsagesType.java |   58 +
 .../saml/v2/ac/classes/ActivationPinType.java |  124 +
 .../dom/saml/v2/ac/classes/AlphabetType.java  |  100 +
 .../v2/ac/classes/AuthenticatorBaseType.java  |   44 +
 .../AuthenticatorTransportProtocolType.java   |   48 +
 .../AuthnContextDeclarationBaseType.java      |   53 +
 .../v2/ac/classes/AuthnMethodBaseType.java    |   47 +
 .../ac/classes/ComplexAuthenticatorType.java  |   43 +
 .../saml/v2/ac/classes/DeviceTypeType.java    |   60 +
 .../saml/v2/ac/classes/ExtensionListType.java |   46 +
 .../saml/v2/ac/classes/ExtensionOnlyType.java |   43 +
 .../dom/saml/v2/ac/classes/ExtensionType.java |   42 +
 .../dom/saml/v2/ac/classes/Generation.java    |   67 +
 .../ac/classes/GoverningAgreementRefType.java |   60 +
 .../ac/classes/GoverningAgreementsType.java   |   67 +
 .../v2/ac/classes/IdentificationType.java     |  127 +
 .../saml/v2/ac/classes/KeyActivationType.java |   65 +
 .../saml/v2/ac/classes/KeySharingType.java    |   56 +
 .../saml/v2/ac/classes/KeyStorageType.java    |   61 +
 .../dom/saml/v2/ac/classes/LengthType.java    |   82 +
 .../dom/saml/v2/ac/classes/MediumType.java    |   63 +
 .../dom/saml/v2/ac/classes/NymType.java       |   61 +
 .../saml/v2/ac/classes/ObjectListType.java    |   46 +
 .../ac/classes/OperationalProtectionType.java |   85 +
 .../OriginalAuthenticatorBaseType.java        |   43 +
 ...nalAuthenticatorTransportProtocolType.java |  246 ++
 ...iginalAuthnContextDeclarationBaseType.java |  168 ++
 .../classes/OriginalAuthnMethodBaseType.java  |  107 +
 .../dom/saml/v2/ac/classes/PasswordType.java  |  124 +
 .../v2/ac/classes/PhysicalVerification.java   |   67 +
 .../PrincipalAuthenticationMechanismType.java |  168 ++
 .../ac/classes/PrivateKeyProtectionType.java  |  104 +
 .../dom/saml/v2/ac/classes/PublicKeyType.java |   63 +
 .../v2/ac/classes/RestrictedLengthType.java   |   47 +
 .../v2/ac/classes/RestrictedPasswordType.java |   46 +
 .../ac/classes/SecretKeyProtectionType.java   |   84 +
 .../saml/v2/ac/classes/SecurityAuditType.java |   63 +
 .../SharedSecretChallengeResponseType.java    |   69 +
 .../classes/TechnicalProtectionBaseType.java  |   85 +
 .../saml/v2/ac/classes/TimeSyncTokenType.java |  103 +
 .../dom/saml/v2/ac/classes/TokenType.java     |   64 +
 .../dom/saml/v2/ac/classes/package-info.java  |   20 +
 .../keycloak/dom/saml/v2/ac/package-info.java |   27 +
 .../dom/saml/v2/assertion/ActionType.java     |   42 +
 .../dom/saml/v2/assertion/AdviceType.java     |   49 +
 .../dom/saml/v2/assertion/AssertionType.java  |  257 ++
 .../v2/assertion/AttributeStatementType.java  |  106 +
 .../dom/saml/v2/assertion/AttributeType.java  |  170 ++
 .../v2/assertion/AudienceRestrictionType.java |   75 +
 .../assertion/AuthnContextClassRefType.java   |   72 +
 .../v2/assertion/AuthnContextDeclRefType.java |   66 +
 .../v2/assertion/AuthnContextDeclType.java    |   71 +
 .../saml/v2/assertion/AuthnContextType.java   |  208 ++
 .../saml/v2/assertion/AuthnStatementType.java |  140 +
 .../assertion/AuthzDecisionStatementType.java |  134 +
 .../saml/v2/assertion/BaseIDAbstractType.java |   60 +
 .../v2/assertion/ConditionAbstractType.java   |   41 +
 .../dom/saml/v2/assertion/ConditionsType.java |   81 +
 .../dom/saml/v2/assertion/DecisionType.java   |   58 +
 .../v2/assertion/EncryptedAssertionType.java  |   43 +
 .../v2/assertion/EncryptedElementType.java    |   56 +
 .../dom/saml/v2/assertion/EvidenceType.java   |  121 +
 .../KeyInfoConfirmationDataType.java          |   54 +
 .../dom/saml/v2/assertion/NameIDType.java     |   74 +
 .../dom/saml/v2/assertion/OneTimeUseType.java |   39 +
 .../v2/assertion/ProxyRestrictionType.java    |   96 +
 .../v2/assertion/StatementAbstractType.java   |   42 +
 .../SubjectConfirmationDataType.java          |  197 ++
 .../v2/assertion/SubjectConfirmationType.java |  146 +
 .../v2/assertion/SubjectLocalityType.java     |   83 +
 .../dom/saml/v2/assertion/SubjectType.java    |  153 ++
 .../dom/saml/v2/assertion/URIType.java        |   31 +
 .../dom/saml/v2/assertion/package-info.java   |   22 +
 .../AdditionalMetadataLocationType.java       |   80 +
 .../metadata/AffiliationDescriptorType.java   |  233 ++
 .../AttributeAuthorityDescriptorType.java     |  203 ++
 .../AttributeConsumingServiceType.java        |  169 ++
 .../AuthnAuthorityDescriptorType.java         |  138 +
 .../dom/saml/v2/metadata/ContactType.java     |  214 ++
 .../dom/saml/v2/metadata/ContactTypeType.java |   61 +
 .../dom/saml/v2/metadata/EndpointType.java    |  124 +
 .../v2/metadata/EntitiesDescriptorType.java   |  207 ++
 .../v2/metadata/EntityDescriptorType.java     |  391 +++
 .../dom/saml/v2/metadata/ExtensionsType.java  |   52 +
 .../v2/metadata/IDPSSODescriptorType.java     |  233 ++
 .../saml/v2/metadata/IndexedEndpointType.java |   81 +
 .../saml/v2/metadata/KeyDescriptorType.java   |  119 +
 .../dom/saml/v2/metadata/KeyTypes.java        |   57 +
 .../saml/v2/metadata/LocalizedNameType.java   |   73 +
 .../saml/v2/metadata/LocalizedURIType.java    |   75 +
 .../saml/v2/metadata/OrganizationType.java    |  155 ++
 .../saml/v2/metadata/PDPDescriptorType.java   |  139 +
 .../v2/metadata/RequestedAttributeType.java   |   66 +
 .../saml/v2/metadata/RoleDescriptorType.java  |  271 ++
 .../saml/v2/metadata/SPSSODescriptorType.java |  150 ++
 .../saml/v2/metadata/SSODescriptorType.java   |  170 ++
 .../v2/metadata/TypeWithOtherAttributes.java  |   63 +
 .../dom/saml/v2/metadata/package-info.java    |   19 +
 .../profiles/attribute/dce/DCEValueType.java  |   99 +
 .../profiles/attribute/dce/package-info.java  |   20 +
 .../v2/profiles/sso/ecp/RelayStateType.java   |   99 +
 .../saml/v2/profiles/sso/ecp/RequestType.java |  165 ++
 .../v2/profiles/sso/ecp/ResponseType.java     |  101 +
 .../v2/profiles/sso/ecp/package-info.java     |   20 +
 .../saml/v2/protocol/ArtifactResolveType.java |   69 +
 .../v2/protocol/ArtifactResponseType.java     |   73 +
 .../v2/protocol/AssertionIDRequestType.java   |   78 +
 .../saml/v2/protocol/AttributeQueryType.java  |   80 +
 .../protocol/AuthnContextComparisonType.java  |   60 +
 .../dom/saml/v2/protocol/AuthnQueryType.java  |   89 +
 .../saml/v2/protocol/AuthnRequestType.java    |  324 +++
 .../v2/protocol/AuthzDecisionQueryType.java   |  124 +
 .../dom/saml/v2/protocol/ExtensionsType.java  |   71 +
 .../dom/saml/v2/protocol/IDPEntryType.java    |  101 +
 .../dom/saml/v2/protocol/IDPListType.java     |   93 +
 .../saml/v2/protocol/LogoutRequestType.java   |  190 ++
 .../v2/protocol/ManageNameIDRequestType.java  |  160 ++
 .../v2/protocol/NameIDMappingRequestType.java |  137 +
 .../protocol/NameIDMappingResponseType.java   |   92 +
 .../saml/v2/protocol/NameIDPolicyType.java    |  100 +
 .../saml/v2/protocol/RequestAbstractType.java |  151 ++
 .../protocol/RequestedAuthnContextType.java   |  135 +
 .../dom/saml/v2/protocol/ResponseType.java    |  137 +
 .../dom/saml/v2/protocol/ScopingType.java     |  125 +
 .../dom/saml/v2/protocol/StatusCodeType.java  |   82 +
 .../saml/v2/protocol/StatusDetailType.java    |   44 +
 .../saml/v2/protocol/StatusResponseType.java  |  187 ++
 .../dom/saml/v2/protocol/StatusType.java      |  101 +
 .../v2/protocol/SubjectQueryAbstractType.java |   65 +
 .../dom/saml/v2/protocol/TerminateType.java   |   38 +
 .../dom/saml/v2/protocol/package-info.java    |   23 +
 .../xmldsig/CanonicalizationMethodType.java   |   67 +
 .../xmlsec/w3/xmldsig/DSAKeyValueType.java    |  304 +++
 .../xmlsec/w3/xmldsig/DigestMethodType.java   |   67 +
 .../dom/xmlsec/w3/xmldsig/KeyInfoType.java    |   86 +
 .../dom/xmlsec/w3/xmldsig/KeyValueType.java   |   44 +
 .../dom/xmlsec/w3/xmldsig/ManifestType.java   |   84 +
 .../dom/xmlsec/w3/xmldsig/ObjectType.java     |  123 +
 .../dom/xmlsec/w3/xmldsig/PGPDataType.java    |   71 +
 .../xmlsec/w3/xmldsig/RSAKeyValueType.java    |  164 ++
 .../dom/xmlsec/w3/xmldsig/ReferenceType.java  |  160 ++
 .../w3/xmldsig/RetrievalMethodType.java       |  101 +
 .../dom/xmlsec/w3/xmldsig/SPKIDataType.java   |   65 +
 .../w3/xmldsig/SignatureMethodType.java       |   86 +
 .../w3/xmldsig/SignaturePropertiesType.java   |   85 +
 .../w3/xmldsig/SignaturePropertyType.java     |   95 +
 .../dom/xmlsec/w3/xmldsig/SignatureType.java  |  144 +
 .../xmlsec/w3/xmldsig/SignatureValueType.java |   77 +
 .../dom/xmlsec/w3/xmldsig/SignedInfoType.java |  125 +
 .../dom/xmlsec/w3/xmldsig/TransformType.java  |   82 +
 .../dom/xmlsec/w3/xmldsig/TransformsType.java |   65 +
 .../w3/xmldsig/X509CertificateType.java       |   31 +
 .../dom/xmlsec/w3/xmldsig/X509DataType.java   |   71 +
 .../w3/xmldsig/X509IssuerSerialType.java      |   82 +
 .../dom/xmlsec/w3/xmldsig/package-info.java   |   19 +
 .../xmlsec/w3/xmlenc/AgreementMethodType.java |   87 +
 .../dom/xmlsec/w3/xmlenc/CipherDataType.java  |   80 +
 .../xmlsec/w3/xmlenc/CipherReferenceType.java |   78 +
 .../xmlsec/w3/xmlenc/EncryptedDataType.java   |   38 +
 .../xmlsec/w3/xmlenc/EncryptedKeyType.java    |  102 +
 .../dom/xmlsec/w3/xmlenc/EncryptedType.java   |  204 ++
 .../w3/xmlenc/EncryptionMethodType.java       |   89 +
 .../w3/xmlenc/EncryptionPropertiesType.java   |   84 +
 .../w3/xmlenc/EncryptionPropertyType.java     |  109 +
 .../dom/xmlsec/w3/xmlenc/ReferenceList.java   |   82 +
 .../dom/xmlsec/w3/xmlenc/ReferenceType.java   |   68 +
 .../dom/xmlsec/w3/xmlenc/TransformsType.java  |   69 +
 .../dom/xmlsec/w3/xmlenc/package-info.java    |   19 +
 .../saml/common/DefaultPicketLinkLogger.java  | 2386 +++++++++++++++++
 .../org/keycloak/saml/common/ErrorCodes.java  |  206 ++
 .../saml/common/PicketLinkLogger.java         | 1223 +++++++++
 .../saml/common/PicketLinkLoggerFactory.java  |   55 +
 .../common/constants/GeneralConstants.java    |  155 ++
 .../common/constants/JBossSAMLConstants.java  |   79 +
 .../constants/JBossSAMLURIConstants.java      |  129 +
 .../constants/PicketLinkCommonConstants.java  |   30 +
 .../SAMLAuthenticationContextClass.java       |   63 +
 .../common/constants/WSTrustConstants.java    |  242 ++
 .../exceptions/ConfigurationException.java    |   46 +
 .../exceptions/NotImplementedException.java   |   36 +
 .../common/exceptions/ParsingException.java   |   64 +
 .../exceptions/PicketLinkException.java       |   47 +
 .../exceptions/ProcessingException.java       |   46 +
 .../TrustKeyConfigurationException.java       |   44 +
 .../TrustKeyProcessingException.java          |   44 +
 .../fed/AssertionExpiredException.java        |   54 +
 .../fed/IssueInstantMissingException.java     |   46 +
 .../fed/IssuerNotTrustedException.java        |   46 +
 .../fed/SignatureValidationException.java     |   45 +
 .../exceptions/fed/WSTrustException.java      |   67 +
 .../saml/common/parsers/AbstractParser.java   |  136 +
 .../parsers/ParserNamespaceSupport.java       |   54 +
 .../org/keycloak/saml/common/util/Base64.java | 1279 +++++++++
 .../saml/common/util/DocumentUtil.java        |  544 ++++
 .../keycloak/saml/common/util/PBEUtils.java   |   85 +
 .../saml/common/util/SecurityActions.java     |  221 ++
 .../saml/common/util/StaxParserUtil.java      |  469 ++++
 .../keycloak/saml/common/util/StaxUtil.java   |  447 +++
 .../keycloak/saml/common/util/StringUtil.java |  229 ++
 .../common/util/SystemPropertiesUtil.java     |   64 +
 .../saml/common/util/TransformerUtil.java     |  431 +++
 .../api/saml/v2/request/SAML2Request.java     |  336 +++
 .../api/saml/v2/request/SecurityActions.java  |  166 ++
 .../api/saml/v2/response/SAML2Response.java   |  543 ++++
 .../api/saml/v2/response/SecurityActions.java |  122 +
 .../api/saml/v2/sig/SAML2Signature.java       |  358 +++
 .../saml/processing/api/util/DeflateUtil.java |   80 +
 .../core/constants/AttributeConstants.java    |   34 +
 .../PicketLinkFederationConstants.java        |   53 +
 .../parsers/saml/SAML11AssertionParser.java   |  178 ++
 .../parsers/saml/SAML11RequestParser.java     |  116 +
 .../parsers/saml/SAML11ResponseParser.java    |  189 ++
 .../parsers/saml/SAML11SubjectParser.java     |  114 +
 .../saml/SAMLArtifactResolveParser.java       |   90 +
 .../saml/SAMLArtifactResponseParser.java      |  111 +
 .../parsers/saml/SAMLAssertionParser.java     |  174 ++
 .../saml/SAMLAttributeQueryParser.java        |   92 +
 .../parsers/saml/SAMLAuthNRequestParser.java  |  212 ++
 .../parsers/saml/SAMLConditionsParser.java    |  174 ++
 .../core/parsers/saml/SAMLParser.java         |  129 +
 .../saml/SAMLRequestAbstractParser.java       |  109 +
 .../core/parsers/saml/SAMLResponseParser.java |  108 +
 .../parsers/saml/SAMLSloRequestParser.java    |  119 +
 .../parsers/saml/SAMLSloResponseParser.java   |   78 +
 .../saml/SAMLStatusResponseTypeParser.java    |  187 ++
 .../core/parsers/saml/SAMLSubjectParser.java  |  206 ++
 .../metadata/AbstractDescriptorParser.java    |   66 +
 .../SAMLEntitiesDescriptorParser.java         |  123 +
 .../metadata/SAMLEntityDescriptorParser.java  |  679 +++++
 .../core/parsers/util/SAML11ParserUtil.java   |  765 ++++++
 .../core/parsers/util/SAMLParserUtil.java     |  544 ++++
 .../core/parsers/util/SecurityActions.java    |   94 +
 .../core/saml/v1/SAML11Constants.java         |  131 +
 .../saml/v1/writers/BaseSAML11Writer.java     |   48 +
 .../v1/writers/SAML11AssertionWriter.java     |  446 +++
 .../saml/v1/writers/SAML11RequestWriter.java  |  171 ++
 .../saml/v1/writers/SAML11ResponseWriter.java |  137 +
 .../core/saml/v2/common/IDGenerator.java      |   58 +
 .../saml/v2/common/SAMLDocumentHolder.java    |   64 +
 .../constants/X500SAMLProfileConstants.java   |  154 ++
 .../JBossSAMLAuthnResponseFactory.java        |  217 ++
 .../v2/factories/SAMLAssertionFactory.java    |  197 ++
 .../saml/v2/factories/SecurityActions.java    |  126 +
 .../v2/holders/DestinationInfoHolder.java     |   56 +
 .../core/saml/v2/holders/IDPInfoHolder.java   |   78 +
 .../saml/v2/holders/IssuerInfoHolder.java     |   80 +
 .../core/saml/v2/holders/SPInfoHolder.java    |   60 +
 .../saml/v2/holders/SignatureInfoHolder.java  |   45 +
 .../core/saml/v2/util/AssertionUtil.java      |  513 ++++
 .../core/saml/v2/util/DocumentUtil.java       |   28 +
 .../core/saml/v2/util/SAMLMetadataUtil.java   |  101 +
 .../core/saml/v2/util/SecurityActions.java    |  161 ++
 .../core/saml/v2/util/SignatureUtil.java      |  297 ++
 .../core/saml/v2/util/StatementUtil.java      |  241 ++
 .../core/saml/v2/util/StaxWriterUtil.java     |  166 ++
 .../core/saml/v2/util/XMLTimeUtil.java        |  254 ++
 .../core/saml/v2/writers/BaseWriter.java      |  322 +++
 .../saml/v2/writers/SAMLAssertionWriter.java  |  285 ++
 .../saml/v2/writers/SAMLMetadataWriter.java   |  557 ++++
 .../saml/v2/writers/SAMLRequestWriter.java    |  335 +++
 .../saml/v2/writers/SAMLResponseWriter.java   |  264 ++
 .../processing/core/util/CoreConfigUtil.java  |  208 ++
 .../core/util/EncryptionKeyUtil.java          |   50 +
 .../core/util/IDFedLSInputResolver.java       |  224 ++
 .../saml/processing/core/util/JAXBUtil.java   |  280 ++
 .../core/util/JAXPValidationUtil.java         |  168 ++
 .../processing/core/util/KeyStoreUtil.java    |  201 ++
 .../core/util/NamespaceContext.java           |   96 +
 .../processing/core/util/ProvidersUtil.java   |  127 +
 .../core/util/SchemaManagerUtil.java          |  106 +
 .../processing/core/util/SecurityActions.java |  225 ++
 .../util/SignatureUtilTransferObject.java     |  115 +
 .../core/util/XMLEncryptionUtil.java          |  561 ++++
 .../core/util/XMLSignatureUtil.java           |  754 ++++++
 .../processing/web/util/PostBindingUtil.java  |   94 +
 .../util/RedirectBindingSignatureUtil.java    |  345 +++
 .../web/util/RedirectBindingUtil.java         |  219 ++
 .../processing/web/util/SecurityActions.java  |  125 +
 saml/saml-protocol/pom.xml                    |    8 +
 .../saml/EntityDescriptorImporterService.java |   26 +-
 .../saml/SAML2AuthnRequestBuilder.java        |   12 +-
 .../protocol/saml/SAML2BindingBuilder.java    |   35 +-
 .../protocol/saml/SAML2BindingBuilder2.java   |   35 +-
 .../saml/SAML2ErrorResponseBuilder.java       |   20 +-
 .../saml/SAML2LoginResponseBuilder.java       |   40 +-
 .../saml/SAML2LogoutRequestBuilder.java       |   32 +-
 .../saml/SAML2LogoutResponseBuilder.java      |   22 +-
 .../saml/SAML2NameIDPolicyBuilder.java        |    2 +-
 .../protocol/saml/SAMLRequestParser.java      |   14 +-
 .../keycloak/protocol/saml/SamlProtocol.java  |   22 +-
 .../protocol/saml/SamlProtocolFactory.java    |    9 +-
 .../protocol/saml/SamlProtocolUtils.java      |   26 +-
 .../keycloak/protocol/saml/SamlService.java   |   22 +-
 .../mappers/AttributeStatementHelper.java     |    6 +-
 .../mappers/HardcodedAttributeMapper.java     |    4 +-
 .../protocol/saml/mappers/HardcodedRole.java  |    5 -
 .../protocol/saml/mappers/RoleListMapper.java |    5 +-
 .../mappers/SAMLAttributeStatementMapper.java |    2 +-
 .../saml/mappers/SAMLLoginResponseMapper.java |    2 +-
 .../saml/mappers/SAMLRoleListMapper.java      |    2 +-
 .../mappers/UserAttributeStatementMapper.java |    2 +-
 .../UserPropertyAttributeStatementMapper.java |    2 +-
 .../SAMLKeyCloakServerBrokerBasicTest.java    |    8 +-
 ...KeyCloakServerBrokerWithSignatureTest.java |    8 +-
 .../testsuite/saml/SamlBindingTest.java       |   16 +-
 400 files changed, 48841 insertions(+), 227 deletions(-)
 create mode 100755 distribution/modules/src/main/resources/modules/org/keycloak/keycloak-saml-core/main/module.xml
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonActionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAdviceType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAssertionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonConditionsType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonRequestAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonResponseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonStatusDetailType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ActionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AdviceType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AssertionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeDesignatorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeStatementType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AudienceRestrictionCondition.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthenticationStatementType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorityBindingType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorizationDecisionStatementType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DecisionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DoNotCacheConditionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11EvidenceType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11NameIdentifierType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectConfirmationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectLocalityType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectStatementType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AttributeQueryType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthenticationQueryType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthorizationDecisionQueryType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11QueryAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusCodeType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11SubjectQueryAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/SAML2Object.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitDurationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitSessionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitUsagesType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationPinType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AlphabetType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthenticatorBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthenticatorTransportProtocolType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthnContextDeclarationBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthnMethodBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/BooleanType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ComplexAuthenticatorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/DeviceTypeType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ExtensionOnlyType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ExtensionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/Generation.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/GoverningAgreementRefType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/GoverningAgreementsType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/IdentificationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeyActivationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeySharingType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeyStorageType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/LengthType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/MediumType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/NymType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/OperationalProtectionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PasswordType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PhysicalVerification.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PrincipalAuthenticationMechanismType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PrivateKeyProtectionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PublicKeyType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/RestrictedLengthType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/RestrictedPasswordType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SecretKeyProtectionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SecurityAuditType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SharedSecretChallengeResponseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TechnicalProtectionBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TimeSyncTokenType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TokenType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitDurationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitSessionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitUsagesType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationPinType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AlphabetType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthenticatorBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthenticatorTransportProtocolType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthnContextDeclarationBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthnMethodBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ComplexAuthenticatorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/DeviceTypeType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionListType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionOnlyType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/Generation.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/GoverningAgreementRefType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/GoverningAgreementsType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/IdentificationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeyActivationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeySharingType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeyStorageType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/LengthType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/MediumType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/NymType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ObjectListType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OperationalProtectionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthenticatorBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthenticatorTransportProtocolType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthnContextDeclarationBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthnMethodBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PasswordType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PhysicalVerification.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PrincipalAuthenticationMechanismType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PrivateKeyProtectionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PublicKeyType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/RestrictedLengthType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/RestrictedPasswordType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SecretKeyProtectionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SecurityAuditType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SharedSecretChallengeResponseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TechnicalProtectionBaseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TimeSyncTokenType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TokenType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/package-info.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/package-info.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ActionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AdviceType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AssertionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeStatementType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AudienceRestrictionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextClassRefType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclRefType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnStatementType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthzDecisionStatementType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/BaseIDAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionsType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/DecisionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedAssertionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedElementType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EvidenceType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/KeyInfoConfirmationDataType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/NameIDType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/OneTimeUseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ProxyRestrictionType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/StatementAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationDataType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectLocalityType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/URIType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/package-info.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AdditionalMetadataLocationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AffiliationDescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AttributeAuthorityDescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AttributeConsumingServiceType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AuthnAuthorityDescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ContactType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ContactTypeType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EndpointType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EntitiesDescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EntityDescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ExtensionsType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/IDPSSODescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/IndexedEndpointType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/KeyDescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/KeyTypes.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/LocalizedNameType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/LocalizedURIType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/OrganizationType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/PDPDescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RequestedAttributeType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RoleDescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/SPSSODescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/SSODescriptorType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/TypeWithOtherAttributes.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/package-info.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/attribute/dce/DCEValueType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/attribute/dce/package-info.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/RelayStateType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/RequestType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/ResponseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/package-info.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResolveType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResponseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AssertionIDRequestType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AttributeQueryType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnContextComparisonType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnQueryType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnRequestType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthzDecisionQueryType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ExtensionsType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/IDPEntryType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/IDPListType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/LogoutRequestType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ManageNameIDRequestType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingRequestType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingResponseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDPolicyType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestedAuthnContextType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ResponseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ScopingType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusCodeType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusDetailType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusResponseType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/SubjectQueryAbstractType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/TerminateType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/package-info.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/CanonicalizationMethodType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DSAKeyValueType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DigestMethodType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/KeyInfoType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/KeyValueType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ManifestType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ObjectType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/PGPDataType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RSAKeyValueType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ReferenceType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RetrievalMethodType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SPKIDataType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureMethodType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignaturePropertiesType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignaturePropertyType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureValueType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignedInfoType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/TransformType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/TransformsType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509CertificateType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509DataType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509IssuerSerialType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/package-info.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/AgreementMethodType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/CipherDataType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/CipherReferenceType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedDataType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedKeyType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionMethodType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionPropertiesType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionPropertyType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/ReferenceList.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/ReferenceType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/TransformsType.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/package-info.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/DefaultPicketLinkLogger.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/ErrorCodes.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/PicketLinkLogger.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/PicketLinkLoggerFactory.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/constants/GeneralConstants.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/constants/JBossSAMLConstants.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/constants/JBossSAMLURIConstants.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/constants/PicketLinkCommonConstants.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/constants/SAMLAuthenticationContextClass.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/constants/WSTrustConstants.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ConfigurationException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/NotImplementedException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ParsingException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/PicketLinkException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ProcessingException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyConfigurationException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyProcessingException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/AssertionExpiredException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssueInstantMissingException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssuerNotTrustedException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/SignatureValidationException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/WSTrustException.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/parsers/AbstractParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/parsers/ParserNamespaceSupport.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/util/Base64.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/util/DocumentUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/util/PBEUtils.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/util/SecurityActions.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/util/StaxParserUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/util/StaxUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/util/StringUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/util/SystemPropertiesUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/request/SAML2Request.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/request/SecurityActions.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SecurityActions.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/api/util/DeflateUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/constants/AttributeConstants.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/constants/PicketLinkFederationConstants.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11AssertionParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11RequestParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11ResponseParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11SubjectParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLArtifactResolveParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLArtifactResponseParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAssertionParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAttributeQueryParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAuthNRequestParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLConditionsParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLRequestAbstractParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLResponseParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloRequestParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloResponseParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLStatusResponseTypeParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSubjectParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/AbstractDescriptorParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntitiesDescriptorParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SAML11ParserUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SAMLParserUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SecurityActions.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/SAML11Constants.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/BaseSAML11Writer.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11AssertionWriter.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11RequestWriter.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11ResponseWriter.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/common/IDGenerator.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/common/SAMLDocumentHolder.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/constants/X500SAMLProfileConstants.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/SAMLAssertionFactory.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/SecurityActions.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/DestinationInfoHolder.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/IDPInfoHolder.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/IssuerInfoHolder.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/SPInfoHolder.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/SignatureInfoHolder.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/AssertionUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/DocumentUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SAMLMetadataUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SecurityActions.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SignatureUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/StatementUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/StaxWriterUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/XMLTimeUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/BaseWriter.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLAssertionWriter.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLMetadataWriter.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLRequestWriter.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLResponseWriter.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/CoreConfigUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/EncryptionKeyUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolver.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/JAXBUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/JAXPValidationUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/KeyStoreUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/NamespaceContext.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/ProvidersUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SchemaManagerUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SecurityActions.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SignatureUtilTransferObject.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLEncryptionUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/PostBindingUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingSignatureUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingUtil.java
 create mode 100755 saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/SecurityActions.java
 mode change 100644 => 100755 saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2AuthnRequestBuilder.java
 mode change 100644 => 100755 saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
 mode change 100644 => 100755 saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2NameIDPolicyBuilder.java

diff --git a/broker/saml/pom.xml b/broker/saml/pom.xml
index b7754c81b4..704427ae28 100755
--- a/broker/saml/pom.xml
+++ b/broker/saml/pom.xml
@@ -27,10 +27,18 @@
             <version>${project.version}</version>
             <scope>provided</scope>
         </dependency>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-saml-core</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <!--
         <dependency>
             <groupId>org.picketlink</groupId>
             <artifactId>picketlink-federation</artifactId>
         </dependency>
+        -->
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-services</artifactId>
diff --git a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
index 7d4781e504..d2b8a88c9a 100755
--- a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
+++ b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLEndpoint.java
@@ -20,28 +20,28 @@ import org.keycloak.protocol.saml.SamlProtocolUtils;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.messages.Messages;
 import org.keycloak.services.resources.flows.Flows;
-import org.picketlink.common.constants.GeneralConstants;
-import org.picketlink.common.constants.JBossSAMLConstants;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.common.util.DocumentUtil;
-import org.picketlink.common.util.StaxParserUtil;
-import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
-import org.picketlink.identity.federation.core.parsers.saml.SAMLParser;
-import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
-import org.picketlink.identity.federation.core.util.JAXPValidationUtil;
-import org.picketlink.identity.federation.core.util.XMLEncryptionUtil;
-import org.picketlink.identity.federation.core.util.XMLSignatureUtil;
-import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
-import org.picketlink.identity.federation.saml.v2.assertion.AuthnStatementType;
-import org.picketlink.identity.federation.saml.v2.assertion.EncryptedAssertionType;
-import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
-import org.picketlink.identity.federation.saml.v2.assertion.SubjectType;
-import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
-import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
-import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
-import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
+import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
+import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
+import org.keycloak.saml.processing.core.util.JAXPValidationUtil;
+import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
+import org.keycloak.saml.processing.core.util.XMLSignatureUtil;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
+import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
diff --git a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
index 60acd10c7f..af817c934a 100755
--- a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
+++ b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProvider.java
@@ -27,7 +27,7 @@ import org.keycloak.models.UserSessionModel;
 import org.keycloak.protocol.saml.SAML2AuthnRequestBuilder;
 import org.keycloak.protocol.saml.SAML2LogoutRequestBuilder;
 import org.keycloak.protocol.saml.SAML2NameIDPolicyBuilder;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
 
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
@@ -122,6 +122,7 @@ public class SAMLIdentityProvider extends AbstractIdentityProvider<SAMLIdentityP
         if (getConfig().getSingleLogoutServiceUrl() == null || getConfig().getSingleLogoutServiceUrl().trim().equals("")) return null;
 
         SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
+                .assertionExpiration(realm.getAccessCodeLifespan())
                 .issuer(getEntityId(uriInfo, realm))
                 .sessionIndex(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SESSION_INDEX))
                 .userPrincipal(userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT), userSession.getNote(SAMLEndpoint.SAML_FEDERATED_SUBJECT_NAMEFORMAT))
diff --git a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java
index cb8dff208f..0abf926814 100755
--- a/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java
+++ b/broker/saml/src/main/java/org/keycloak/broker/saml/SAMLIdentityProviderFactory.java
@@ -19,16 +19,16 @@ package org.keycloak.broker.saml;
 
 import org.keycloak.broker.provider.AbstractIdentityProviderFactory;
 import org.keycloak.models.IdentityProviderModel;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.common.exceptions.ParsingException;
-import org.picketlink.common.util.DocumentUtil;
-import org.picketlink.identity.federation.core.parsers.saml.SAMLParser;
-import org.picketlink.identity.federation.saml.v2.metadata.EndpointType;
-import org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType;
-import org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType;
-import org.picketlink.identity.federation.saml.v2.metadata.IDPSSODescriptorType;
-import org.picketlink.identity.federation.saml.v2.metadata.KeyDescriptorType;
-import org.picketlink.identity.federation.saml.v2.metadata.KeyTypes;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
+import org.keycloak.dom.saml.v2.metadata.EndpointType;
+import org.keycloak.dom.saml.v2.metadata.EntitiesDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.EntityDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType;
+import org.keycloak.dom.saml.v2.metadata.KeyDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.KeyTypes;
 import org.w3c.dom.Element;
 
 import javax.xml.namespace.QName;
diff --git a/dependencies/server-all/pom.xml b/dependencies/server-all/pom.xml
index 79b7b81b3e..9d8921f8ed 100755
--- a/dependencies/server-all/pom.xml
+++ b/dependencies/server-all/pom.xml
@@ -174,15 +174,22 @@
         </dependency>
 
         <!-- saml -->
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-saml-core</artifactId>
+            <version>${project.version}</version>
+        </dependency>
         <dependency>
             <groupId>org.keycloak</groupId>
             <artifactId>keycloak-saml-protocol</artifactId>
             <version>${project.version}</version>
         </dependency>
+        <!--
         <dependency>
             <groupId>org.picketlink</groupId>
             <artifactId>picketlink-federation</artifactId>
         </dependency>
+        -->
 
         <!-- mongo -->
         <dependency>
diff --git a/distribution/modules/build.xml b/distribution/modules/build.xml
index 308854c4d2..9f65cb95d4 100755
--- a/distribution/modules/build.xml
+++ b/distribution/modules/build.xml
@@ -267,6 +267,9 @@
             <maven-resource group="org.keycloak" artifact="keycloak-picketlink-ldap"/>
         </module-def>
 
+        <module-def name="org.keycloak.keycloak-saml-core">
+            <maven-resource group="org.keycloak" artifact="keycloak-saml-core"/>
+        </module-def>
         <module-def name="org.keycloak.keycloak-saml-protocol">
             <maven-resource group="org.keycloak" artifact="keycloak-saml-protocol"/>
         </module-def>
diff --git a/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-broker-saml/main/module.xml b/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-broker-saml/main/module.xml
index 3abeb2ca74..ac30917c48 100755
--- a/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-broker-saml/main/module.xml
+++ b/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-broker-saml/main/module.xml
@@ -10,10 +10,9 @@
         <module name="org.keycloak.keycloak-model-api"/>
         <module name="org.keycloak.keycloak-events-api"/>
         <module name="org.keycloak.keycloak-broker-core"/>
+        <module name="org.keycloak.keycloak-saml-core"/>
         <module name="org.keycloak.keycloak-saml-protocol"/>
         <module name="org.keycloak.keycloak-services"/>
-        <module name="org.picketlink.common"/>
-        <module name="org.picketlink.federation"/>
         <module name="org.jboss.logging"/>
         <module name="javax.ws.rs.api"/>
     </dependencies>
diff --git a/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-saml-core/main/module.xml b/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-saml-core/main/module.xml
new file mode 100755
index 0000000000..67d251429c
--- /dev/null
+++ b/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-saml-core/main/module.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+
+
+<module xmlns="urn:jboss:module:1.1" name="org.keycloak.keycloak-saml-core">
+    <resources>
+        <!-- Insert resources here -->
+    </resources>
+    <dependencies>
+        <module name="org.jboss.logging"/>
+        <module name="org.apache.santuario.xmlsec">
+            <imports>
+                <exclude path="javax/*"/>
+            </imports>
+        </module>
+        <module name="javax.api"/>
+    </dependencies>
+
+</module>
diff --git a/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-saml-protocol/main/module.xml b/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-saml-protocol/main/module.xml
index 60b2db025f..687cb6b4c2 100755
--- a/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-saml-protocol/main/module.xml
+++ b/distribution/modules/src/main/resources/modules/org/keycloak/keycloak-saml-protocol/main/module.xml
@@ -8,6 +8,7 @@
     </resources>
     <dependencies>
         <module name="org.keycloak.keycloak-core"/>
+        <module name="org.keycloak.keycloak-saml-core"/>
         <module name="org.keycloak.keycloak-model-api"/>
         <module name="org.keycloak.keycloak-events-api"/>
         <module name="org.keycloak.keycloak-account-api"/>
@@ -17,9 +18,6 @@
         <module name="org.keycloak.keycloak-forms-common-freemarker"/>
         <module name="org.apache.httpcomponents" />
         <module name="org.jboss.logging"/>
-        <module name="org.picketlink.common"/>
-        <module name="org.picketlink.federation"/>
-
         <module name="javax.ws.rs.api"/>
         <module name="org.jboss.resteasy.resteasy-jaxrs"/>
         <module name="org.jboss.resteasy.resteasy-crypto"/>
diff --git a/saml/saml-core/pom.xml b/saml/saml-core/pom.xml
index 5dac06c33f..c5242a4204 100755
--- a/saml/saml-core/pom.xml
+++ b/saml/saml-core/pom.xml
@@ -19,13 +19,20 @@
     </properties>
     <dependencies>
         <dependency>
-            <groupId>org.picketlink</groupId>
-            <artifactId>picketlink-federation</artifactId>
+            <groupId>org.jboss.logging</groupId>
+            <artifactId>jboss-logging</artifactId>
+            <scope>provided</scope>
         </dependency>
         <dependency>
-            <groupId>org.jboss.resteasy</groupId>
-            <artifactId>jaxrs-api</artifactId>
-            <scope>provided</scope>
+            <groupId>org.apache.santuario</groupId>
+            <artifactId>xmlsec</artifactId>
+            <version>1.5.1</version>
+            <exclusions>
+                <exclusion>
+                    <groupId>javax.servlet</groupId>
+                    <artifactId>servlet-api</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
         <dependency>
             <groupId>junit</groupId>
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonActionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonActionType.java
new file mode 100755
index 0000000000..6936b57bdb
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonActionType.java
@@ -0,0 +1,61 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.common;
+
+import java.io.Serializable;
+
+/**
+ * SAML Action Type
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class CommonActionType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected String namespace;
+
+    protected String value;
+
+    /**
+     * Gets the value of the namespace property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getNamespace() {
+        return namespace;
+    }
+
+    /**
+     * Sets the value of the namespace property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setNamespace(String value) {
+        this.namespace = value;
+    }
+
+    public String getValue() {
+        return value;
+    }
+
+    public void setValue(String value) {
+        this.value = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAdviceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAdviceType.java
new file mode 100755
index 0000000000..b6d3a2bd86
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAdviceType.java
@@ -0,0 +1,65 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.common;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * SAML Advice Type
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class CommonAdviceType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<Object> advices = new ArrayList<Object>();
+
+    /**
+     * Add an advice
+     *
+     * @param obj
+     */
+    public void addAdvice(Object obj) {
+        advices.add(obj);
+    }
+
+    /**
+     * Remove an advice
+     *
+     * @param advice
+     *
+     * @return
+     */
+    public boolean remove(Object advice) {
+        return this.advices.remove(advice);
+    }
+
+    /**
+     * Gets the advices. (Read only list)
+     *
+     * @return {@link List} read only
+     */
+    public List<Object> getAdvices() {
+        return Collections.unmodifiableList(advices);
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAssertionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAssertionType.java
new file mode 100755
index 0000000000..0637d7f2d0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonAssertionType.java
@@ -0,0 +1,54 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.common;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.io.Serializable;
+
+/**
+ * SAML AssertionType
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 21, 2011
+ */
+public class CommonAssertionType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected XMLGregorianCalendar issueInstant;
+
+    protected String ID;
+
+    public CommonAssertionType(String iD, XMLGregorianCalendar issueInstant) {
+        if (iD == null)
+            throw new IllegalArgumentException("iD is null");
+        if (issueInstant == null)
+            throw new IllegalArgumentException("issueInstant is null");
+
+        this.issueInstant = issueInstant;
+        ID = iD;
+    }
+
+    public XMLGregorianCalendar getIssueInstant() {
+        return issueInstant;
+    }
+
+    public String getID() {
+        return ID;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonConditionsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonConditionsType.java
new file mode 100755
index 0000000000..4ad88a5e08
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonConditionsType.java
@@ -0,0 +1,70 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.common;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.io.Serializable;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class CommonConditionsType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected XMLGregorianCalendar notBefore;
+
+    protected XMLGregorianCalendar notOnOrAfter;
+
+    /**
+     * Gets the value of the notBefore property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getNotBefore() {
+        return notBefore;
+    }
+
+    /**
+     * Sets the value of the notBefore property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setNotBefore(XMLGregorianCalendar value) {
+        this.notBefore = value;
+    }
+
+    /**
+     * Gets the value of the notOnOrAfter property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getNotOnOrAfter() {
+        return notOnOrAfter;
+    }
+
+    /**
+     * Sets the value of the notOnOrAfter property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setNotOnOrAfter(XMLGregorianCalendar value) {
+        this.notOnOrAfter = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonRequestAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonRequestAbstractType.java
new file mode 100755
index 0000000000..9ba0638ab9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonRequestAbstractType.java
@@ -0,0 +1,81 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.common;
+
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.io.Serializable;
+
+/**
+ * SAML Request Abstract Type
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public abstract class CommonRequestAbstractType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected String id;
+
+    protected XMLGregorianCalendar issueInstant;
+
+    protected Element signature;
+
+    public CommonRequestAbstractType(String id, XMLGregorianCalendar issueInstant) {
+        this.id = id;
+        this.issueInstant = issueInstant;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getID() {
+        return id;
+    }
+
+    /**
+     * Gets the value of the issueInstant property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getIssueInstant() {
+        return issueInstant;
+    }
+
+    /**
+     * Gets the value of the signature property.
+     *
+     * @return possible object is {@link org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType }
+     */
+    public Element getSignature() {
+        return signature;
+    }
+
+    /**
+     * Sets the value of the signature property.
+     *
+     * @param value allowed object is {@link org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType }
+     */
+    public void setSignature(Element value) {
+        this.signature = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonResponseType.java
new file mode 100755
index 0000000000..fbb4f6504e
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonResponseType.java
@@ -0,0 +1,99 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.common;
+
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.io.Serializable;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class CommonResponseType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected String id;
+
+    protected XMLGregorianCalendar issueInstant;
+
+    protected String inResponseTo;
+
+    protected Element signature;
+
+    public CommonResponseType(String id, XMLGregorianCalendar issueInstant) {
+        this.id = id;
+        this.issueInstant = issueInstant;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getID() {
+        return id;
+    }
+
+    /**
+     * Gets the value of the issueInstant property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getIssueInstant() {
+        return issueInstant;
+    }
+
+    /**
+     * Gets the value of the inResponseTo property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getInResponseTo() {
+        return inResponseTo;
+    }
+
+    /**
+     * Sets the value of the inResponseTo property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setInResponseTo(String value) {
+        this.inResponseTo = value;
+    }
+
+    /**
+     * Gets the value of the signature property.
+     *
+     * @return possible object is {@link org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType }
+     */
+    public Element getSignature() {
+        return signature;
+    }
+
+    /**
+     * Sets the value of the signature property.
+     *
+     * @param value allowed object is {@link org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType }
+     */
+    public void setSignature(Element value) {
+        this.signature = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonStatusDetailType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonStatusDetailType.java
new file mode 100755
index 0000000000..cb427e3ec9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/common/CommonStatusDetailType.java
@@ -0,0 +1,74 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.common;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for StatusDetailType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="StatusDetailType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class CommonStatusDetailType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<Object> any = new ArrayList<Object>();
+
+    /**
+     * Add status detail
+     *
+     * @param obj
+     */
+    public void addStatusDetail(Object obj) {
+        this.any.add(obj);
+    }
+
+    /**
+     * Remove status detail
+     *
+     * @param obj
+     */
+    public void removeStatusDetail(Object obj) {
+        this.any.remove(obj);
+    }
+
+    /**
+     * Gets the value of the any property. Read-Only list
+     */
+    public List<Object> getAny() {
+        return Collections.unmodifiableList(this.any);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ActionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ActionType.java
new file mode 100755
index 0000000000..8e70a3b38d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ActionType.java
@@ -0,0 +1,35 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import org.keycloak.dom.saml.common.CommonActionType;
+
+/**
+ * SAML11 Action Type
+ *
+ * <complexType name="ActionType"> <simpleContent> <extension base="string"> <attribute name="Namespace"
+ * type="anyURI"/>
+ * </extension> </simpleContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11ActionType extends CommonActionType {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AdviceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AdviceType.java
new file mode 100755
index 0000000000..0f0dcc686b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AdviceType.java
@@ -0,0 +1,33 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import org.keycloak.dom.saml.common.CommonAdviceType;
+
+/**
+ * <complexType name="AdviceType"> <choice minOccurs="0" maxOccurs="unbounded"> <element
+ * ref="saml:AssertionIDReference"/>
+ * <element ref="saml:Assertion"/> <any namespace="##other" processContents="lax"/> </choice> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AdviceType extends CommonAdviceType {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AssertionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AssertionType.java
new file mode 100755
index 0000000000..1a72241e24
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AssertionType.java
@@ -0,0 +1,124 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import org.keycloak.dom.saml.common.CommonAssertionType;
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="AssertionType"> <sequence> <element ref="saml:Conditions" minOccurs="0"/> <element
+ * ref="saml:Advice"
+ * minOccurs="0"/> <choice maxOccurs="unbounded"> <element ref="saml:Statement"/> <element
+ * ref="saml:SubjectStatement"/>
+ * <element ref="saml:AuthenticationStatement"/> <element ref="saml:AuthorizationDecisionStatement"/> <element
+ * ref="saml:AttributeStatement"/> </choice>
+ *
+ * <element ref="ds:Signature" minOccurs="0"/> </sequence> <attribute name="MajorVersion" type="integer"
+ * use="required"/>
+ * <attribute name="MinorVersion" type="integer" use="required"/> <attribute name="AssertionID" type="ID"
+ * use="required"/>
+ * <attribute name="Issuer" type="string" use="required"/> <attribute name="IssueInstant" type="dateTime"
+ * use="required"/>
+ * </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 21, 2011
+ */
+public class SAML11AssertionType extends CommonAssertionType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected int majorVersion = 1;
+
+    protected int minorVersion = 1;
+
+    protected SAML11ConditionsType conditions;
+
+    protected SAML11AdviceType advice;
+
+    protected List<SAML11StatementAbstractType> statements = new ArrayList<SAML11StatementAbstractType>();
+
+    protected Element signature;
+
+    protected String issuer;
+
+    public SAML11AssertionType(String iD, XMLGregorianCalendar issueInstant) {
+        super(iD, issueInstant);
+    }
+
+    public int getMajorVersion() {
+        return majorVersion;
+    }
+
+    public int getMinorVersion() {
+        return minorVersion;
+    }
+
+    public void add(SAML11StatementAbstractType statement) {
+        this.statements.add(statement);
+    }
+
+    public void addAllStatements(List<SAML11StatementAbstractType> statement) {
+        this.statements.addAll(statement);
+    }
+
+    public boolean remove(SAML11StatementAbstractType statement) {
+        return this.statements.remove(statement);
+    }
+
+    public List<SAML11StatementAbstractType> getStatements() {
+        return Collections.unmodifiableList(statements);
+    }
+
+    public SAML11ConditionsType getConditions() {
+        return conditions;
+    }
+
+    public void setConditions(SAML11ConditionsType conditions) {
+        this.conditions = conditions;
+    }
+
+    public SAML11AdviceType getAdvice() {
+        return advice;
+    }
+
+    public void setAdvice(SAML11AdviceType advice) {
+        this.advice = advice;
+    }
+
+    public Element getSignature() {
+        return signature;
+    }
+
+    public void setSignature(Element signature) {
+        this.signature = signature;
+    }
+
+    public String getIssuer() {
+        return issuer;
+    }
+
+    public void setIssuer(String issuer) {
+        this.issuer = issuer;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeDesignatorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeDesignatorType.java
new file mode 100755
index 0000000000..06ea5c1acd
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeDesignatorType.java
@@ -0,0 +1,48 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.net.URI;
+
+/**
+ * <complexType name="AttributeDesignatorType"> <attribute name="AttributeName" type="string" use="required"/>
+ * <attribute
+ * name="AttributeNamespace" type="anyURI" use="required"/> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AttributeDesignatorType {
+
+    protected String attributeName;
+
+    protected URI attributeNamespace;
+
+    public SAML11AttributeDesignatorType(String attributeName, URI attributeNamespace) {
+        this.attributeName = attributeName;
+        this.attributeNamespace = attributeNamespace;
+    }
+
+    public String getAttributeName() {
+        return attributeName;
+    }
+
+    public URI getAttributeNamespace() {
+        return attributeNamespace;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeStatementType.java
new file mode 100755
index 0000000000..f572210562
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeStatementType.java
@@ -0,0 +1,55 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="AttributeStatementType"> <complexContent> <extension base="saml:SubjectStatementAbstractType">
+ * <sequence>
+ * <element ref="saml:Attribute" maxOccurs="unbounded"/>
+ *
+ * </sequence> </extension> </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AttributeStatementType extends SAML11SubjectStatementType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<SAML11AttributeType> attribute = new ArrayList<SAML11AttributeType>();
+
+    public void add(SAML11AttributeType aAttribute) {
+        this.attribute.add(aAttribute);
+    }
+
+    public void addAllAttributes(List<SAML11AttributeType> attribList) {
+        this.attribute.addAll(attribList);
+    }
+
+    public boolean remove(SAML11AttributeType anAttrib) {
+        return this.attribute.remove(anAttrib);
+    }
+
+    public List<SAML11AttributeType> get() {
+        return Collections.unmodifiableList(attribute);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeType.java
new file mode 100755
index 0000000000..48e97e6747
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AttributeType.java
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="AttributeType"> <complexContent> <extension base="saml:AttributeDesignatorType"> <sequence>
+ * <element
+ * ref="saml:AttributeValue" maxOccurs="unbounded"/> </sequence> </extension> </complexContent>
+ *
+ * </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AttributeType extends SAML11AttributeDesignatorType {
+
+    protected List<Object> attributeValues = new ArrayList<Object>();
+
+    public SAML11AttributeType(String attributeName, URI attributeNamespace) {
+        super(attributeName, attributeNamespace);
+    }
+
+    public void add(Object attribValue) {
+        this.attributeValues.add(attribValue);
+    }
+
+    public void addAll(List<Object> attribValueList) {
+        this.attributeValues.addAll(attribValueList);
+    }
+
+    public boolean remove(Object attribVal) {
+        return this.attributeValues.remove(attribVal);
+    }
+
+    public List<Object> get() {
+        return Collections.unmodifiableList(attributeValues);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AudienceRestrictionCondition.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AudienceRestrictionCondition.java
new file mode 100755
index 0000000000..f54ef3795a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AudienceRestrictionCondition.java
@@ -0,0 +1,55 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="AudienceRestrictionConditionType"> <complexContent> <extension base="saml:ConditionAbstractType">
+ * <sequence> <element ref="saml:Audience" maxOccurs="unbounded"/> </sequence>
+ *
+ * </extension> </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AudienceRestrictionCondition extends SAML11ConditionAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<URI> audience = new ArrayList<URI>();
+
+    public void add(URI advice) {
+        this.audience.add(advice);
+    }
+
+    public void addAll(List<URI> advice) {
+        this.audience.addAll(advice);
+    }
+
+    public boolean remove(URI advice) {
+        return this.audience.remove(advice);
+    }
+
+    public List<URI> get() {
+        return Collections.unmodifiableList(audience);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthenticationStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthenticationStatementType.java
new file mode 100755
index 0000000000..fd2fbe0fd5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthenticationStatementType.java
@@ -0,0 +1,84 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="AuthenticationStatementType"> <complexContent> <extension base="saml:SubjectStatementAbstractType">
+ *
+ * <sequence> <element ref="saml:SubjectLocality" minOccurs="0"/> <element ref="saml:AuthorityBinding" minOccurs="0"
+ * maxOccurs="unbounded"/> </sequence> <attribute name="AuthenticationMethod" type="anyURI" use="required"/> <attribute
+ * name="AuthenticationInstant" type="dateTime" use="required"/> </extension> </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AuthenticationStatementType extends SAML11SubjectStatementType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected URI authenticationMethod;
+
+    protected XMLGregorianCalendar authenticationInstant;
+
+    protected SAML11SubjectLocalityType subjectLocality;
+
+    protected List<SAML11AuthorityBindingType> authorityBinding = new ArrayList<SAML11AuthorityBindingType>();
+
+    public SAML11AuthenticationStatementType(URI authenticationMethod, XMLGregorianCalendar authenticationInstant) {
+        this.authenticationMethod = authenticationMethod;
+        this.authenticationInstant = authenticationInstant;
+    }
+
+    public URI getAuthenticationMethod() {
+        return authenticationMethod;
+    }
+
+    public XMLGregorianCalendar getAuthenticationInstant() {
+        return authenticationInstant;
+    }
+
+    public SAML11SubjectLocalityType getSubjectLocality() {
+        return subjectLocality;
+    }
+
+    public void setSubjectLocality(SAML11SubjectLocalityType subjectLocality) {
+        this.subjectLocality = subjectLocality;
+    }
+
+    public void add(SAML11AuthorityBindingType advice) {
+        this.authorityBinding.add(advice);
+    }
+
+    public void addAllAuthorityBindingType(List<SAML11AuthorityBindingType> advice) {
+        this.authorityBinding.addAll(advice);
+    }
+
+    public boolean remove(SAML11AuthorityBindingType advice) {
+        return this.authorityBinding.remove(advice);
+    }
+
+    public List<SAML11AuthorityBindingType> getAuthorityBindingType() {
+        return Collections.unmodifiableList(authorityBinding);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorityBindingType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorityBindingType.java
new file mode 100755
index 0000000000..e741aee1f4
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorityBindingType.java
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import javax.xml.namespace.QName;
+import java.net.URI;
+
+/**
+ * <complexType name="AuthorityBindingType"> <attribute name="AuthorityKind" type="QName" use="required"/> <attribute
+ * name="Location" type="anyURI" use="required"/>
+ *
+ * <attribute name="Binding" type="anyURI" use="required"/> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AuthorityBindingType {
+
+    protected QName authorityKind;
+
+    protected URI location;
+
+    protected URI binding;
+
+    public SAML11AuthorityBindingType(QName authorityKind, URI location, URI binding) {
+        super();
+        this.authorityKind = authorityKind;
+        this.location = location;
+        this.binding = binding;
+    }
+
+    public QName getAuthorityKind() {
+        return authorityKind;
+    }
+
+    public URI getLocation() {
+        return location;
+    }
+
+    public URI getBinding() {
+        return binding;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorizationDecisionStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorizationDecisionStatementType.java
new file mode 100755
index 0000000000..970535b958
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11AuthorizationDecisionStatementType.java
@@ -0,0 +1,81 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="AuthorizationDecisionStatementType"> <complexContent> <extension
+ * base="saml:SubjectStatementAbstractType">
+ * <sequence> <element ref="saml:Action" maxOccurs="unbounded"/> <element ref="saml:Evidence" minOccurs="0"/>
+ *
+ * </sequence> <attribute name="Resource" type="anyURI" use="required"/> <attribute name="Decision"
+ * type="saml:DecisionType"
+ * use="required"/> </extension> </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AuthorizationDecisionStatementType extends SAML11SubjectStatementType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<SAML11ActionType> actions = new ArrayList<SAML11ActionType>();
+
+    protected SAML11EvidenceType evidence;
+
+    protected URI resource;
+
+    protected SAML11DecisionType decision;
+
+    public SAML11AuthorizationDecisionStatementType(URI resource, SAML11DecisionType decision) {
+        this.resource = resource;
+        this.decision = decision;
+    }
+
+    public URI getResource() {
+        return resource;
+    }
+
+    public SAML11DecisionType getDecision() {
+        return decision;
+    }
+
+    public void addAction(SAML11ActionType action) {
+        this.actions.add(action);
+    }
+
+    public boolean removeAction(SAML11ActionType action) {
+        return this.actions.remove(action);
+    }
+
+    public List<SAML11ActionType> getActions() {
+        return Collections.unmodifiableList(actions);
+    }
+
+    public SAML11EvidenceType getEvidence() {
+        return evidence;
+    }
+
+    public void setEvidence(SAML11EvidenceType evidence) {
+        this.evidence = evidence;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionAbstractType.java
new file mode 100755
index 0000000000..4208335103
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionAbstractType.java
@@ -0,0 +1,29 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.io.Serializable;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public abstract class SAML11ConditionAbstractType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionType.java
new file mode 100755
index 0000000000..f06bf32e5e
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionType.java
@@ -0,0 +1,27 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11ConditionType extends SAML11ConditionAbstractType {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsAbstractType.java
new file mode 100755
index 0000000000..9106bf2916
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsAbstractType.java
@@ -0,0 +1,29 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.io.Serializable;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public abstract class SAML11ConditionsAbstractType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsType.java
new file mode 100755
index 0000000000..4a4662cc4f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11ConditionsType.java
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import org.keycloak.dom.saml.common.CommonConditionsType;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="ConditionsType"> <choice minOccurs="0" maxOccurs="unbounded"> <element
+ * ref="saml:AudienceRestrictionCondition"/> <element ref="saml:DoNotCacheCondition"/> <element ref="saml:Condition"/>
+ * </choice>
+ * <attribute name="NotBefore" type="dateTime" use="optional"/> <attribute name="NotOnOrAfter" type="dateTime"
+ * use="optional"/>
+ * </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11ConditionsType extends CommonConditionsType {
+
+    private static final long serialVersionUID = 1L;
+
+    public List<SAML11ConditionAbstractType> conditions = new ArrayList<SAML11ConditionAbstractType>();
+
+    public void add(SAML11ConditionAbstractType condition) {
+        this.conditions.add(condition);
+    }
+
+    public void addAll(List<SAML11ConditionAbstractType> theConditions) {
+        this.conditions.addAll(theConditions);
+    }
+
+    public boolean remove(SAML11ConditionsAbstractType condition) {
+        return this.conditions.remove(condition);
+    }
+
+    public List<SAML11ConditionAbstractType> get() {
+        return Collections.unmodifiableList(conditions);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DecisionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DecisionType.java
new file mode 100755
index 0000000000..e1e535402e
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DecisionType.java
@@ -0,0 +1,31 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+/**
+ * <simpleType name="DecisionType"> <restriction base="string">
+ *
+ * <enumeration value="Permit"/> <enumeration value="Deny"/> <enumeration value="Indeterminate"/> </restriction>
+ * </simpleType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public enum SAML11DecisionType {
+    Permit, Deny, Indeterminate;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DoNotCacheConditionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DoNotCacheConditionType.java
new file mode 100755
index 0000000000..dc0c791fe3
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11DoNotCacheConditionType.java
@@ -0,0 +1,27 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11DoNotCacheConditionType extends SAML11ConditionAbstractType {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11EvidenceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11EvidenceType.java
new file mode 100755
index 0000000000..be9d354ca7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11EvidenceType.java
@@ -0,0 +1,69 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="EvidenceType"> <choice maxOccurs="unbounded"> <element ref="saml:AssertionIDReference"/>
+ *
+ * <element ref="saml:Assertion"/> </choice> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11EvidenceType {
+
+    protected List<String> assertionIDReference = new ArrayList<String>();
+
+    protected List<SAML11AssertionType> assertions = new ArrayList<SAML11AssertionType>();
+
+    public void add(String condition) {
+        this.assertionIDReference.add(condition);
+    }
+
+    public void addAllAssertionIDReference(List<String> theassertionIDReference) {
+        this.assertionIDReference.addAll(theassertionIDReference);
+    }
+
+    public boolean remove(String assertionIDReference) {
+        return this.assertionIDReference.remove(assertionIDReference);
+    }
+
+    public List<String> getAssertionIDReference() {
+        return Collections.unmodifiableList(assertionIDReference);
+    }
+
+    public void add(SAML11AssertionType condition) {
+        this.assertions.add(condition);
+    }
+
+    public void addAllAssertionType(List<SAML11AssertionType> theassertions) {
+        this.assertions.addAll(theassertions);
+    }
+
+    public boolean remove(SAML11AssertionType assertion) {
+        return this.assertions.remove(assertionIDReference);
+    }
+
+    public List<SAML11AssertionType> getAssertions() {
+        return Collections.unmodifiableList(assertions);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11NameIdentifierType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11NameIdentifierType.java
new file mode 100755
index 0000000000..0687f3c7e7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11NameIdentifierType.java
@@ -0,0 +1,64 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.io.Serializable;
+import java.net.URI;
+
+/**
+ * <complexType name="NameIdentifierType"> <simpleContent> <extension base="string"> <attribute name="NameQualifier"
+ * type="string" use="optional"/> <attribute name="Format" type="anyURI" use="optional"/> </extension> </simpleContent>
+ * </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11NameIdentifierType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected String nameQualifier;
+
+    protected URI format;
+
+    protected String value;
+
+    public SAML11NameIdentifierType(String val) {
+        this.value = val;
+    }
+
+    public String getNameQualifier() {
+        return nameQualifier;
+    }
+
+    public void setNameQualifier(String nameQualifier) {
+        this.nameQualifier = nameQualifier;
+    }
+
+    public URI getFormat() {
+        return format;
+    }
+
+    public void setFormat(URI format) {
+        this.format = format;
+    }
+
+    public String getValue() {
+        return value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementAbstractType.java
new file mode 100755
index 0000000000..96f1a24cbf
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementAbstractType.java
@@ -0,0 +1,29 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import java.io.Serializable;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public abstract class SAML11StatementAbstractType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementType.java
new file mode 100755
index 0000000000..fa8a94de99
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11StatementType.java
@@ -0,0 +1,27 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11StatementType extends SAML11StatementAbstractType {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectConfirmationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectConfirmationType.java
new file mode 100755
index 0000000000..b2e5434aa0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectConfirmationType.java
@@ -0,0 +1,76 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+import org.w3c.dom.Element;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="SubjectConfirmationType"> <sequence> <element ref="saml:ConfirmationMethod"
+ * maxOccurs="unbounded"/>
+ * <element ref="saml:SubjectConfirmationData" minOccurs="0"/>
+ *
+ * <element ref="ds:KeyInfo" minOccurs="0"/> </sequence> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11SubjectConfirmationType {
+
+    protected List<URI> confirmationMethod = new ArrayList<URI>();
+
+    protected Object subjectConfirmationData;
+
+    protected Element keyInfo;
+
+    public void addConfirmationMethod(URI confirmation) {
+        this.confirmationMethod.add(confirmation);
+    }
+
+    public void addAllConfirmationMethod(List<URI> confirmation) {
+        this.confirmationMethod.addAll(confirmation);
+    }
+
+    public boolean removeConfirmationMethod(URI confirmation) {
+        return this.confirmationMethod.remove(confirmation);
+    }
+
+    public List<URI> getConfirmationMethod() {
+        return Collections.unmodifiableList(confirmationMethod);
+    }
+
+    public void setSubjectConfirmationData(Object subjectConfirmation) {
+        this.subjectConfirmationData = subjectConfirmation;
+    }
+
+    public Element getKeyInfo() {
+        return keyInfo;
+    }
+
+    public void setKeyInfo(Element keyInfo) {
+        this.keyInfo = keyInfo;
+    }
+
+    public Object getSubjectConfirmationData() {
+        return subjectConfirmationData;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectLocalityType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectLocalityType.java
new file mode 100755
index 0000000000..c905175f4d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectLocalityType.java
@@ -0,0 +1,48 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+/**
+ * <complexType name="SubjectLocalityType"> <attribute name="IPAddress" type="string" use="optional"/> <attribute
+ * name="DNSAddress" type="string" use="optional"/> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11SubjectLocalityType {
+
+    protected String ipAddress;
+
+    protected String dnsAddress;
+
+    public String getIpAddress() {
+        return ipAddress;
+    }
+
+    public void setIpAddress(String ipAddress) {
+        this.ipAddress = ipAddress;
+    }
+
+    public String getDnsAddress() {
+        return dnsAddress;
+    }
+
+    public void setDnsAddress(String dnsAddress) {
+        this.dnsAddress = dnsAddress;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectStatementType.java
new file mode 100755
index 0000000000..d6118ae325
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectStatementType.java
@@ -0,0 +1,49 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+/**
+ * <complexType name="SubjectStatementAbstractType" abstract="true"> <complexContent> <extension
+ * base="saml:StatementAbstractType"> <sequence> <element ref="saml:Subject"/> </sequence>
+ *
+ * </extension> </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11SubjectStatementType extends SAML11StatementAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected SAML11SubjectType subject;
+
+    public SAML11SubjectStatementType() {
+    }
+
+    public SAML11SubjectStatementType(SAML11SubjectType subject) {
+        this.subject = subject;
+    }
+
+    public SAML11SubjectType getSubject() {
+        return subject;
+    }
+
+    public void setSubject(SAML11SubjectType subject) {
+        this.subject = subject;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectType.java
new file mode 100755
index 0000000000..ce14f4f235
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/assertion/SAML11SubjectType.java
@@ -0,0 +1,73 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.assertion;
+
+/**
+ * <complexType name="SubjectType"> <choice> <sequence> <element ref="saml:NameIdentifier"/> <element
+ * ref="saml:SubjectConfirmation" minOccurs="0"/>
+ *
+ * </sequence> <element ref="saml:SubjectConfirmation"/> </choice> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11SubjectType {
+
+    public static class SAML11SubjectTypeChoice {
+
+        protected SAML11NameIdentifierType nameID;
+
+        protected SAML11SubjectConfirmationType subjectConfirmation;
+
+        public SAML11SubjectTypeChoice(SAML11NameIdentifierType nameID) {
+            this.nameID = nameID;
+        }
+
+        public SAML11SubjectTypeChoice(SAML11SubjectConfirmationType subConfirms) {
+            this.subjectConfirmation = subConfirms;
+        }
+
+        public SAML11NameIdentifierType getNameID() {
+            return nameID;
+        }
+
+        public SAML11SubjectConfirmationType getSubjectConfirmation() {
+            return subjectConfirmation;
+        }
+    }
+
+    protected SAML11SubjectConfirmationType subjectConfirmation;
+
+    protected SAML11SubjectTypeChoice choice;
+
+    public SAML11SubjectConfirmationType getSubjectConfirmation() {
+        return subjectConfirmation;
+    }
+
+    public void setSubjectConfirmation(SAML11SubjectConfirmationType subjectConfirmation) {
+        this.subjectConfirmation = subjectConfirmation;
+    }
+
+    public SAML11SubjectTypeChoice getChoice() {
+        return choice;
+    }
+
+    public void setChoice(SAML11SubjectTypeChoice choice) {
+        this.choice = choice;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AttributeQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AttributeQueryType.java
new file mode 100755
index 0000000000..9f13479c95
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AttributeQueryType.java
@@ -0,0 +1,64 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeDesignatorType;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="AttributeQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType">
+ * <sequence>
+ * <element ref="saml:AttributeDesignator" minOccurs="0" maxOccurs="unbounded"/> </sequence>
+ *
+ * <attribute name="Resource" type="anyURI" use="optional"/> </extension> </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AttributeQueryType extends SAML11SubjectQueryAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<SAML11AttributeDesignatorType> attributeDesignator = new ArrayList<SAML11AttributeDesignatorType>();
+
+    protected URI resource;
+
+    public URI getResource() {
+        return resource;
+    }
+
+    public void setResource(URI resource) {
+        this.resource = resource;
+    }
+
+    public void add(SAML11AttributeDesignatorType sadt) {
+        this.attributeDesignator.add(sadt);
+    }
+
+    public boolean remove(SAML11AttributeDesignatorType sadt) {
+        return this.attributeDesignator.remove(sadt);
+    }
+
+    public List<SAML11AttributeDesignatorType> get() {
+        return Collections.unmodifiableList(attributeDesignator);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthenticationQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthenticationQueryType.java
new file mode 100755
index 0000000000..d2d7bc0a85
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthenticationQueryType.java
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import java.net.URI;
+
+/**
+ * <complexType name="AuthenticationQueryType"> <complexContent> <extension base="samlp:SubjectQueryAbstractType">
+ * <attribute
+ * name="AuthenticationMethod" type="anyURI"/> </extension>
+ *
+ * </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AuthenticationQueryType extends SAML11SubjectQueryAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected URI authenticationMethod;
+
+    public URI getAuthenticationMethod() {
+        return authenticationMethod;
+    }
+
+    public void setAuthenticationMethod(URI authenticationMethod) {
+        this.authenticationMethod = authenticationMethod;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthorizationDecisionQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthorizationDecisionQueryType.java
new file mode 100755
index 0000000000..dc9d9b868c
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11AuthorizationDecisionQueryType.java
@@ -0,0 +1,77 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import org.keycloak.dom.saml.v1.assertion.SAML11ActionType;
+import org.keycloak.dom.saml.v1.assertion.SAML11EvidenceType;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="AuthorizationDecisionQueryType"> <complexContent> <extension
+ * base="samlp:SubjectQueryAbstractType">
+ * <sequence>
+ *
+ * <element ref="saml:Action" maxOccurs="unbounded"/> <element ref="saml:Evidence" minOccurs="0"/> </sequence>
+ * <attribute
+ * name="Resource" type="anyURI" use="required"/> </extension> </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11AuthorizationDecisionQueryType extends SAML11SubjectQueryAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<SAML11ActionType> action = new ArrayList<SAML11ActionType>();
+
+    protected SAML11EvidenceType evidence;
+
+    protected URI resource;
+
+    public URI getResource() {
+        return resource;
+    }
+
+    public void setResource(URI resource) {
+        this.resource = resource;
+    }
+
+    public SAML11EvidenceType getEvidence() {
+        return evidence;
+    }
+
+    public void setEvidence(SAML11EvidenceType evidence) {
+        this.evidence = evidence;
+    }
+
+    public void add(SAML11ActionType sadt) {
+        this.action.add(sadt);
+    }
+
+    public boolean remove(SAML11ActionType sadt) {
+        return this.action.remove(sadt);
+    }
+
+    public List<SAML11ActionType> get() {
+        return Collections.unmodifiableList(action);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11QueryAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11QueryAbstractType.java
new file mode 100755
index 0000000000..3b2c6df88f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11QueryAbstractType.java
@@ -0,0 +1,29 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import java.io.Serializable;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public abstract class SAML11QueryAbstractType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestAbstractType.java
new file mode 100755
index 0000000000..f0fa48b34c
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestAbstractType.java
@@ -0,0 +1,77 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import org.keycloak.dom.saml.common.CommonRequestAbstractType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="RequestAbstractType" abstract="true">
+ *
+ * <sequence> <element ref="samlp:RespondWith" minOccurs="0" maxOccurs="unbounded"/> <element ref="ds:Signature"
+ * minOccurs="0"/>
+ * </sequence> <attribute name="RequestID" type="ID" use="required"/> <attribute name="MajorVersion" type="integer"
+ * use="required"/> <attribute name="MinorVersion" type="integer" use="required"/> <attribute name="IssueInstant"
+ * type="dateTime" use="required"/> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public abstract class SAML11RequestAbstractType extends CommonRequestAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected int majorVersion = 1;
+
+    protected int minorVersion = 1;
+
+    protected List<QName> respondWith = new ArrayList<QName>();
+
+    public SAML11RequestAbstractType(String id, XMLGregorianCalendar issueInstant) {
+        super(id, issueInstant);
+    }
+
+    public int getMajorVersion() {
+        return majorVersion;
+    }
+
+    public int getMinorVersion() {
+        return minorVersion;
+    }
+
+    public void add(QName rw) {
+        this.respondWith.add(rw);
+    }
+
+    public void addAllConditions(List<QName> rw) {
+        this.respondWith.addAll(rw);
+    }
+
+    public boolean remove(QName rw) {
+        return this.respondWith.remove(rw);
+    }
+
+    public List<QName> getRespondWith() {
+        return Collections.unmodifiableList(respondWith);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestType.java
new file mode 100755
index 0000000000..f86ff31299
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11RequestType.java
@@ -0,0 +1,82 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="RequestType"> <complexContent> <extension base="samlp:RequestAbstractType"> <choice> <element
+ * ref="samlp:Query"/> <element ref="samlp:SubjectQuery"/> <element ref="samlp:AuthenticationQuery"/>
+ *
+ * <element ref="samlp:AttributeQuery"/> <element ref="samlp:AuthorizationDecisionQuery"/> <element
+ * ref="saml:AssertionIDReference" maxOccurs="unbounded"/> <element ref="samlp:AssertionArtifact"
+ * maxOccurs="unbounded"/>
+ * </choice> </extension> </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11RequestType extends SAML11RequestAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected SAML11QueryAbstractType query;
+
+    protected List<String> assertionIDRef = new ArrayList<String>();
+
+    protected List<String> assertionArtifact = new ArrayList<String>();
+
+    public SAML11RequestType(String id, XMLGregorianCalendar issueInstant) {
+        super(id, issueInstant);
+    }
+
+    public void addAssertionIDRef(String sadt) {
+        this.assertionIDRef.add(sadt);
+    }
+
+    public boolean removeAssertionIDRef(String sadt) {
+        return this.assertionIDRef.remove(sadt);
+    }
+
+    public List<String> getAssertionIDRef() {
+        return Collections.unmodifiableList(assertionIDRef);
+    }
+
+    public void addAssertionArtifact(String sadt) {
+        this.assertionArtifact.add(sadt);
+    }
+
+    public boolean removeAssertionArtifact(String sadt) {
+        return this.assertionArtifact.remove(sadt);
+    }
+
+    public List<String> getAssertionArtifact() {
+        return Collections.unmodifiableList(assertionArtifact);
+    }
+
+    public SAML11QueryAbstractType getQuery() {
+        return query;
+    }
+
+    public void setQuery(SAML11QueryAbstractType query) {
+        this.query = query;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseAbstractType.java
new file mode 100755
index 0000000000..48b5938a35
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseAbstractType.java
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import org.keycloak.dom.saml.common.CommonResponseType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.net.URI;
+
+/**
+ * <complexType name="ResponseAbstractType" abstract="true"> <sequence>
+ *
+ * <element ref="ds:Signature" minOccurs="0"/> </sequence> <attribute name="ResponseID" type="ID" use="required"/>
+ * <attribute
+ * name="InResponseTo" type="NCName" use="optional"/> <attribute name="MajorVersion" type="integer" use="required"/>
+ * <attribute
+ * name="MinorVersion" type="integer" use="required"/> <attribute name="IssueInstant" type="dateTime" use="required"/>
+ * <attribute name="Recipient" type="anyURI" use="optional"/> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public abstract class SAML11ResponseAbstractType extends CommonResponseType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected int majorVersion = 1;
+
+    protected int minorVersion = 1;
+
+    protected URI recipient;
+
+    public SAML11ResponseAbstractType(String id, XMLGregorianCalendar issueInstant) {
+        super(id, issueInstant);
+    }
+
+    public int getMajorVersion() {
+        return majorVersion;
+    }
+
+    public int getMinorVersion() {
+        return minorVersion;
+    }
+
+    public URI getRecipient() {
+        return recipient;
+    }
+
+    public void setRecipient(URI recipient) {
+        this.recipient = recipient;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseType.java
new file mode 100755
index 0000000000..c07dae49af
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11ResponseType.java
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import org.keycloak.dom.saml.v1.assertion.SAML11AssertionType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <complexType name="ResponseType"> <complexContent> <extension base="samlp:ResponseAbstractType"> <sequence> <element
+ * ref="samlp:Status"/> <element ref="saml:Assertion" minOccurs="0" maxOccurs="unbounded"/> </sequence> </extension>
+ *
+ * </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11ResponseType extends SAML11ResponseAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<SAML11AssertionType> assertions = new ArrayList<SAML11AssertionType>();
+
+    protected SAML11StatusType status;
+
+    public SAML11ResponseType(String id, XMLGregorianCalendar issueInstant) {
+        super(id, issueInstant);
+    }
+
+    public void add(SAML11AssertionType assertion) {
+        this.assertions.add(assertion);
+    }
+
+    public boolean remove(SAML11AssertionType assertion) {
+        return this.assertions.remove(assertion);
+    }
+
+    public List<SAML11AssertionType> get() {
+        return Collections.unmodifiableList(assertions);
+    }
+
+    public SAML11StatusType getStatus() {
+        return status;
+    }
+
+    public void setStatus(SAML11StatusType status) {
+        this.status = status;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusCodeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusCodeType.java
new file mode 100755
index 0000000000..38c56bfecf
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusCodeType.java
@@ -0,0 +1,71 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import javax.xml.namespace.QName;
+import java.io.Serializable;
+
+/**
+ * <complexType name="StatusCodeType"> <sequence> <element ref="samlp:StatusCode" minOccurs="0"/> </sequence>
+ * <attribute
+ * name="Value" type="QName" use="required"/> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11StatusCodeType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    public static final SAML11StatusCodeType SUCCESS = new SAML11StatusCodeType(new QName("samlp:Success"));
+
+    protected SAML11StatusCodeType statusCode;
+
+    protected QName value;
+
+    public SAML11StatusCodeType(QName theValue) {
+        value = theValue;
+    }
+
+    /**
+     * Gets the value of the statusCode property.
+     *
+     * @return possible object is {@link StatusCodeType }
+     */
+    public SAML11StatusCodeType getStatusCode() {
+        return statusCode;
+    }
+
+    /**
+     * Sets the value of the statusCode property.
+     *
+     * @param value allowed object is {@link StatusCodeType }
+     */
+    public void setStatusCode(SAML11StatusCodeType value) {
+        this.statusCode = value;
+    }
+
+    /**
+     * Gets the value of the value property.
+     *
+     * @return possible object is {@link String }
+     */
+    public QName getValue() {
+        return value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusType.java
new file mode 100755
index 0000000000..7f4b7a625e
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11StatusType.java
@@ -0,0 +1,72 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import org.keycloak.dom.saml.common.CommonStatusDetailType;
+
+import java.io.Serializable;
+
+/**
+ * <complexType name="StatusType"> <sequence> <element ref="samlp:StatusCode"/> <element ref="samlp:StatusMessage"
+ * minOccurs="0"/> <element ref="samlp:StatusDetail" minOccurs="0"/> </sequence>
+ *
+ * </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11StatusType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected SAML11StatusCodeType statusCode;
+
+    protected String statusMessage;
+
+    protected CommonStatusDetailType statusDetail;
+
+    public SAML11StatusCodeType getStatusCode() {
+        return statusCode;
+    }
+
+    public void setStatusCode(SAML11StatusCodeType statusCode) {
+        this.statusCode = statusCode;
+    }
+
+    public String getStatusMessage() {
+        return statusMessage;
+    }
+
+    public void setStatusMessage(String statusMessage) {
+        this.statusMessage = statusMessage;
+    }
+
+    public CommonStatusDetailType getStatusDetail() {
+        return statusDetail;
+    }
+
+    public void setStatusDetail(CommonStatusDetailType statusDetail) {
+        this.statusDetail = statusDetail;
+    }
+
+    public static SAML11StatusType successType() {
+        SAML11StatusType success = new SAML11StatusType();
+        success.setStatusCode(SAML11StatusCodeType.SUCCESS);
+        return success;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11SubjectQueryAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11SubjectQueryAbstractType.java
new file mode 100755
index 0000000000..c9ef462a28
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v1/protocol/SAML11SubjectQueryAbstractType.java
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v1.protocol;
+
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectType;
+
+/**
+ * <complexType name="SubjectQueryAbstractType" abstract="true"> <complexContent> <extension
+ * base="samlp:QueryAbstractType">
+ * <sequence> <element ref="saml:Subject"/> </sequence>
+ *
+ * </extension> </complexContent> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public class SAML11SubjectQueryAbstractType extends SAML11QueryAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected SAML11SubjectType subject;
+
+    public SAML11SubjectType getSubject() {
+        return subject;
+    }
+
+    public void setSubject(SAML11SubjectType subject) {
+        this.subject = subject;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/SAML2Object.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/SAML2Object.java
new file mode 100755
index 0000000000..7e66eabdfc
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/SAML2Object.java
@@ -0,0 +1,28 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2;
+
+/**
+ * Marker Interface
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Sep 17, 2009
+ */
+public interface SAML2Object {
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitDurationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitDurationType.java
new file mode 100755
index 0000000000..47e4be4004
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitDurationType.java
@@ -0,0 +1,56 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.datatype.Duration;
+
+/**
+ * <p>
+ * Java class for ActivationLimitDurationType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationLimitDurationType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="duration" use="required" type="{http://www.w3.org/2001/XMLSchema}duration" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ActivationLimitDurationType {
+
+    protected Duration duration;
+
+    public ActivationLimitDurationType(Duration theDuration) {
+        this.duration = theDuration;
+    }
+
+    /**
+     * Gets the value of the duration property.
+     *
+     * @return possible object is {@link Duration }
+     */
+    public Duration getDuration() {
+        return duration;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitSessionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitSessionType.java
new file mode 100755
index 0000000000..824fe09ec9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitSessionType.java
@@ -0,0 +1,39 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac;
+
+/**
+ * <p>
+ * Java class for ActivationLimitSessionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationLimitSessionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ActivationLimitSessionType {
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitType.java
new file mode 100755
index 0000000000..2f5e55dd87
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitType.java
@@ -0,0 +1,120 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for ActivationLimitType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationLimitType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}ActivationLimitDuration"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}ActivationLimitUsages"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}ActivationLimitSession"/>
+ *       &lt;/choice>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "ActivationLimitType", propOrder = {"activationLimitDuration", "activationLimitUsages",
+        "activationLimitSession"})
+public class ActivationLimitType {
+
+    @XmlElement(name = "ActivationLimitDuration")
+    protected ActivationLimitDurationType activationLimitDuration;
+    @XmlElement(name = "ActivationLimitUsages")
+    protected ActivationLimitUsagesType activationLimitUsages;
+    @XmlElement(name = "ActivationLimitSession")
+    protected ActivationLimitSessionType activationLimitSession;
+
+    /**
+     * Gets the value of the activationLimitDuration property.
+     *
+     * @return possible object is {@link ActivationLimitDurationType }
+     */
+    public ActivationLimitDurationType getActivationLimitDuration() {
+        return activationLimitDuration;
+    }
+
+    /**
+     * Sets the value of the activationLimitDuration property.
+     *
+     * @param value allowed object is {@link ActivationLimitDurationType }
+     */
+    public void setActivationLimitDuration(ActivationLimitDurationType value) {
+        this.activationLimitDuration = value;
+    }
+
+    /**
+     * Gets the value of the activationLimitUsages property.
+     *
+     * @return possible object is {@link ActivationLimitUsagesType }
+     */
+    public ActivationLimitUsagesType getActivationLimitUsages() {
+        return activationLimitUsages;
+    }
+
+    /**
+     * Sets the value of the activationLimitUsages property.
+     *
+     * @param value allowed object is {@link ActivationLimitUsagesType }
+     */
+    public void setActivationLimitUsages(ActivationLimitUsagesType value) {
+        this.activationLimitUsages = value;
+    }
+
+    /**
+     * Gets the value of the activationLimitSession property.
+     *
+     * @return possible object is {@link ActivationLimitSessionType }
+     */
+    public ActivationLimitSessionType getActivationLimitSession() {
+        return activationLimitSession;
+    }
+
+    /**
+     * Sets the value of the activationLimitSession property.
+     *
+     * @param value allowed object is {@link ActivationLimitSessionType }
+     */
+    public void setActivationLimitSession(ActivationLimitSessionType value) {
+        this.activationLimitSession = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitUsagesType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitUsagesType.java
new file mode 100755
index 0000000000..55e082613d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationLimitUsagesType.java
@@ -0,0 +1,76 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+import java.math.BigInteger;
+
+/**
+ * <p>
+ * Java class for ActivationLimitUsagesType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationLimitUsagesType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="number" use="required" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "ActivationLimitUsagesType")
+public class ActivationLimitUsagesType {
+
+    @XmlAttribute(required = true)
+    protected BigInteger number;
+
+    /**
+     * Gets the value of the number property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getNumber() {
+        return number;
+    }
+
+    /**
+     * Sets the value of the number property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setNumber(BigInteger value) {
+        this.number = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationPinType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationPinType.java
new file mode 100755
index 0000000000..03c52cb2c7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ActivationPinType.java
@@ -0,0 +1,172 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ActivationPinType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationPinType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Length" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Alphabet" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Generation" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}ActivationLimit" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "ActivationPinType", propOrder = {"length", "alphabet", "generation", "activationLimit", "extension"})
+public class ActivationPinType {
+
+    @XmlElement(name = "Length")
+    protected LengthType length;
+    @XmlElement(name = "Alphabet")
+    protected AlphabetType alphabet;
+    @XmlElement(name = "Generation")
+    protected Generation generation;
+    @XmlElement(name = "ActivationLimit")
+    protected ActivationLimitType activationLimit;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the length property.
+     *
+     * @return possible object is {@link LengthType }
+     */
+    public LengthType getLength() {
+        return length;
+    }
+
+    /**
+     * Sets the value of the length property.
+     *
+     * @param value allowed object is {@link LengthType }
+     */
+    public void setLength(LengthType value) {
+        this.length = value;
+    }
+
+    /**
+     * Gets the value of the alphabet property.
+     *
+     * @return possible object is {@link AlphabetType }
+     */
+    public AlphabetType getAlphabet() {
+        return alphabet;
+    }
+
+    /**
+     * Sets the value of the alphabet property.
+     *
+     * @param value allowed object is {@link AlphabetType }
+     */
+    public void setAlphabet(AlphabetType value) {
+        this.alphabet = value;
+    }
+
+    /**
+     * Gets the value of the generation property.
+     *
+     * @return possible object is {@link Generation }
+     */
+    public Generation getGeneration() {
+        return generation;
+    }
+
+    /**
+     * Sets the value of the generation property.
+     *
+     * @param value allowed object is {@link Generation }
+     */
+    public void setGeneration(Generation value) {
+        this.generation = value;
+    }
+
+    /**
+     * Gets the value of the activationLimit property.
+     *
+     * @return possible object is {@link ActivationLimitType }
+     */
+    public ActivationLimitType getActivationLimit() {
+        return activationLimit;
+    }
+
+    /**
+     * Sets the value of the activationLimit property.
+     *
+     * @param value allowed object is {@link ActivationLimitType }
+     */
+    public void setActivationLimit(ActivationLimitType value) {
+        this.activationLimit = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AlphabetType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AlphabetType.java
new file mode 100755
index 0000000000..a4536a0046
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AlphabetType.java
@@ -0,0 +1,117 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for AlphabetType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AlphabetType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="requiredChars" use="required" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="excludedChars" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="case" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "AlphabetType")
+public class AlphabetType {
+
+    @XmlAttribute(required = true)
+    protected String requiredChars;
+    @XmlAttribute
+    protected String excludedChars;
+    @XmlAttribute(name = "case")
+    protected String _case;
+
+    /**
+     * Gets the value of the requiredChars property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getRequiredChars() {
+        return requiredChars;
+    }
+
+    /**
+     * Sets the value of the requiredChars property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setRequiredChars(String value) {
+        this.requiredChars = value;
+    }
+
+    /**
+     * Gets the value of the excludedChars property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getExcludedChars() {
+        return excludedChars;
+    }
+
+    /**
+     * Sets the value of the excludedChars property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setExcludedChars(String value) {
+        this.excludedChars = value;
+    }
+
+    /**
+     * Gets the value of the case property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getCase() {
+        return _case;
+    }
+
+    /**
+     * Sets the value of the case property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setCase(String value) {
+        this._case = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthenticatorBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthenticatorBaseType.java
new file mode 100755
index 0000000000..cfb5974c8d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthenticatorBaseType.java
@@ -0,0 +1,132 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElementRef;
+import javax.xml.bind.annotation.XmlElementRefs;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AuthenticatorBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthenticatorBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;group ref="{urn:oasis:names:tc:SAML:2.0:ac}AuthenticatorChoiceGroup"/>
+ *         &lt;group ref="{urn:oasis:names:tc:SAML:2.0:ac}AuthenticatorSequenceGroup"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "AuthenticatorBaseType", propOrder = {"content"})
+public class AuthenticatorBaseType {
+
+    @XmlElementRefs({
+            @XmlElementRef(name = "ComplexAuthenticator", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "PreviousSession", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "ZeroKnowledge", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "RestrictedPassword", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "IPAddress", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "SharedSecretDynamicPlaintext", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "SharedSecretChallengeResponse", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "DigSig", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "SubscriberLineNumber", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "ResumeSession", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "UserSuffix", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "Password", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "AsymmetricDecryption", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "Extension", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "AsymmetricKeyAgreement", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class)})
+    protected List<JAXBElement<?>> content;
+
+    /**
+     * Gets the rest of the content model.
+     *
+     * <p>
+     * You are getting this "catch-all" property because of the following reason: The field name "PreviousSession" is
+     * used by
+     * two different parts of a schema. See: line 575 of file:/home/anil/saml2/saml-schema-authn-context-types-2.0.xsd
+     * line 556
+     * of file:/home/anil/saml2/saml-schema-authn-context-types-2.0.xsd
+     * <p>
+     * To get rid of this property, apply a property customization to one of both of the following declarations to
+     * change their
+     * names: Gets the value of the content property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * content
+     * property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getContent().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link JAXBElement }{@code <}{@link
+     * ComplexAuthenticatorType }
+     * {@code >} {@link JAXBElement }{@code <}{@link ExtensionOnlyType }{@code >} {@link JAXBElement }{@code <}
+     * {@link ExtensionOnlyType }{@code >} {@link JAXBElement }{@code <}{@link RestrictedPasswordType }{@code >}
+     * {@link JAXBElement }{@code <}{@link ExtensionOnlyType }{@code >} {@link JAXBElement }{@code <}{@link
+     * ExtensionOnlyType }
+     * {@code >} {@link JAXBElement }{@code <}{@link SharedSecretChallengeResponseType }{@code >} {@link JAXBElement
+     * }{@code <}
+     * {@link PublicKeyType }{@code >} {@link JAXBElement }{@code <}{@link ExtensionOnlyType }{@code >} {@link
+     * JAXBElement }{@code <}
+     * {@link ExtensionOnlyType }{@code >} {@link JAXBElement }{@code <}{@link ExtensionOnlyType }{@code >} {@link
+     * JAXBElement }
+     * {@code <}{@link PasswordType }{@code >} {@link JAXBElement }{@code <}{@link PublicKeyType }{@code >} {@link
+     * JAXBElement }
+     * {@code <}{@link ExtensionType }{@code >} {@link JAXBElement }{@code <}{@link PublicKeyType }{@code >}
+     */
+    public List<JAXBElement<?>> getContent() {
+        if (content == null) {
+            content = new ArrayList<JAXBElement<?>>();
+        }
+        return this.content;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthenticatorTransportProtocolType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthenticatorTransportProtocolType.java
new file mode 100755
index 0000000000..d046087565
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthenticatorTransportProtocolType.java
@@ -0,0 +1,301 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AuthenticatorTransportProtocolType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthenticatorTransportProtocolType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;choice minOccurs="0">
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}HTTP"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}SSL"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}MobileNetworkNoEncryption"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}MobileNetworkRadioEncryption"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}MobileNetworkEndToEndEncryption"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}WTLS"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}IPSec"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}PSTN"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}ISDN"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}ADSL"/>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "AuthenticatorTransportProtocolType", propOrder = {"http", "ssl", "mobileNetworkNoEncryption",
+        "mobileNetworkRadioEncryption", "mobileNetworkEndToEndEncryption", "wtls", "ipSec", "pstn", "isdn", "adsl", "extension"})
+public class AuthenticatorTransportProtocolType {
+
+    @XmlElement(name = "HTTP")
+    protected ExtensionOnlyType http;
+    @XmlElement(name = "SSL")
+    protected ExtensionOnlyType ssl;
+    @XmlElement(name = "MobileNetworkNoEncryption")
+    protected ExtensionOnlyType mobileNetworkNoEncryption;
+    @XmlElement(name = "MobileNetworkRadioEncryption")
+    protected ExtensionOnlyType mobileNetworkRadioEncryption;
+    @XmlElement(name = "MobileNetworkEndToEndEncryption")
+    protected ExtensionOnlyType mobileNetworkEndToEndEncryption;
+    @XmlElement(name = "WTLS")
+    protected ExtensionOnlyType wtls;
+    @XmlElement(name = "IPSec")
+    protected ExtensionOnlyType ipSec;
+    @XmlElement(name = "PSTN")
+    protected ExtensionOnlyType pstn;
+    @XmlElement(name = "ISDN")
+    protected ExtensionOnlyType isdn;
+    @XmlElement(name = "ADSL")
+    protected ExtensionOnlyType adsl;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the http property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getHTTP() {
+        return http;
+    }
+
+    /**
+     * Sets the value of the http property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setHTTP(ExtensionOnlyType value) {
+        this.http = value;
+    }
+
+    /**
+     * Gets the value of the ssl property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getSSL() {
+        return ssl;
+    }
+
+    /**
+     * Sets the value of the ssl property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setSSL(ExtensionOnlyType value) {
+        this.ssl = value;
+    }
+
+    /**
+     * Gets the value of the mobileNetworkNoEncryption property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getMobileNetworkNoEncryption() {
+        return mobileNetworkNoEncryption;
+    }
+
+    /**
+     * Sets the value of the mobileNetworkNoEncryption property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setMobileNetworkNoEncryption(ExtensionOnlyType value) {
+        this.mobileNetworkNoEncryption = value;
+    }
+
+    /**
+     * Gets the value of the mobileNetworkRadioEncryption property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getMobileNetworkRadioEncryption() {
+        return mobileNetworkRadioEncryption;
+    }
+
+    /**
+     * Sets the value of the mobileNetworkRadioEncryption property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setMobileNetworkRadioEncryption(ExtensionOnlyType value) {
+        this.mobileNetworkRadioEncryption = value;
+    }
+
+    /**
+     * Gets the value of the mobileNetworkEndToEndEncryption property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getMobileNetworkEndToEndEncryption() {
+        return mobileNetworkEndToEndEncryption;
+    }
+
+    /**
+     * Sets the value of the mobileNetworkEndToEndEncryption property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setMobileNetworkEndToEndEncryption(ExtensionOnlyType value) {
+        this.mobileNetworkEndToEndEncryption = value;
+    }
+
+    /**
+     * Gets the value of the wtls property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getWTLS() {
+        return wtls;
+    }
+
+    /**
+     * Sets the value of the wtls property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setWTLS(ExtensionOnlyType value) {
+        this.wtls = value;
+    }
+
+    /**
+     * Gets the value of the ipSec property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getIPSec() {
+        return ipSec;
+    }
+
+    /**
+     * Sets the value of the ipSec property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setIPSec(ExtensionOnlyType value) {
+        this.ipSec = value;
+    }
+
+    /**
+     * Gets the value of the pstn property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getPSTN() {
+        return pstn;
+    }
+
+    /**
+     * Sets the value of the pstn property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setPSTN(ExtensionOnlyType value) {
+        this.pstn = value;
+    }
+
+    /**
+     * Gets the value of the isdn property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getISDN() {
+        return isdn;
+    }
+
+    /**
+     * Sets the value of the isdn property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setISDN(ExtensionOnlyType value) {
+        this.isdn = value;
+    }
+
+    /**
+     * Gets the value of the adsl property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getADSL() {
+        return adsl;
+    }
+
+    /**
+     * Sets the value of the adsl property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setADSL(ExtensionOnlyType value) {
+        this.adsl = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthnContextDeclarationBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthnContextDeclarationBaseType.java
new file mode 100755
index 0000000000..1a9c858c80
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthnContextDeclarationBaseType.java
@@ -0,0 +1,223 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlID;
+import javax.xml.bind.annotation.XmlSchemaType;
+import javax.xml.bind.annotation.XmlType;
+import javax.xml.bind.annotation.adapters.CollapsedStringAdapter;
+import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AuthnContextDeclarationBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnContextDeclarationBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Identification" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}TechnicalProtection" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}OperationalProtection" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}AuthnMethod" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}GoverningAgreements" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ID" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "AuthnContextDeclarationBaseType", propOrder = {"identification", "technicalProtection",
+        "operationalProtection", "authnMethod", "governingAgreements", "extension"})
+public class AuthnContextDeclarationBaseType {
+
+    @XmlElement(name = "Identification")
+    protected IdentificationType identification;
+    @XmlElement(name = "TechnicalProtection")
+    protected TechnicalProtectionBaseType technicalProtection;
+    @XmlElement(name = "OperationalProtection")
+    protected OperationalProtectionType operationalProtection;
+    @XmlElement(name = "AuthnMethod")
+    protected AuthnMethodBaseType authnMethod;
+    @XmlElement(name = "GoverningAgreements")
+    protected GoverningAgreementsType governingAgreements;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+    @XmlAttribute(name = "ID")
+    @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
+    @XmlID
+    @XmlSchemaType(name = "ID")
+    protected String id;
+
+    /**
+     * Gets the value of the identification property.
+     *
+     * @return possible object is {@link IdentificationType }
+     */
+    public IdentificationType getIdentification() {
+        return identification;
+    }
+
+    /**
+     * Sets the value of the identification property.
+     *
+     * @param value allowed object is {@link IdentificationType }
+     */
+    public void setIdentification(IdentificationType value) {
+        this.identification = value;
+    }
+
+    /**
+     * Gets the value of the technicalProtection property.
+     *
+     * @return possible object is {@link TechnicalProtectionBaseType }
+     */
+    public TechnicalProtectionBaseType getTechnicalProtection() {
+        return technicalProtection;
+    }
+
+    /**
+     * Sets the value of the technicalProtection property.
+     *
+     * @param value allowed object is {@link TechnicalProtectionBaseType }
+     */
+    public void setTechnicalProtection(TechnicalProtectionBaseType value) {
+        this.technicalProtection = value;
+    }
+
+    /**
+     * Gets the value of the operationalProtection property.
+     *
+     * @return possible object is {@link OperationalProtectionType }
+     */
+    public OperationalProtectionType getOperationalProtection() {
+        return operationalProtection;
+    }
+
+    /**
+     * Sets the value of the operationalProtection property.
+     *
+     * @param value allowed object is {@link OperationalProtectionType }
+     */
+    public void setOperationalProtection(OperationalProtectionType value) {
+        this.operationalProtection = value;
+    }
+
+    /**
+     * Gets the value of the authnMethod property.
+     *
+     * @return possible object is {@link AuthnMethodBaseType }
+     */
+    public AuthnMethodBaseType getAuthnMethod() {
+        return authnMethod;
+    }
+
+    /**
+     * Sets the value of the authnMethod property.
+     *
+     * @param value allowed object is {@link AuthnMethodBaseType }
+     */
+    public void setAuthnMethod(AuthnMethodBaseType value) {
+        this.authnMethod = value;
+    }
+
+    /**
+     * Gets the value of the governingAgreements property.
+     *
+     * @return possible object is {@link GoverningAgreementsType }
+     */
+    public GoverningAgreementsType getGoverningAgreements() {
+        return governingAgreements;
+    }
+
+    /**
+     * Sets the value of the governingAgreements property.
+     *
+     * @param value allowed object is {@link GoverningAgreementsType }
+     */
+    public void setGoverningAgreements(GoverningAgreementsType value) {
+        this.governingAgreements = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getID() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setID(String value) {
+        this.id = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthnMethodBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthnMethodBaseType.java
new file mode 100755
index 0000000000..bd4bfb1dc1
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/AuthnMethodBaseType.java
@@ -0,0 +1,152 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AuthnMethodBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnMethodBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}PrincipalAuthenticationMechanism" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Authenticator" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}AuthenticatorTransportProtocol" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "AuthnMethodBaseType", propOrder = {"principalAuthenticationMechanism", "authenticator",
+        "authenticatorTransportProtocol", "extension"})
+public class AuthnMethodBaseType {
+
+    @XmlElement(name = "PrincipalAuthenticationMechanism")
+    protected PrincipalAuthenticationMechanismType principalAuthenticationMechanism;
+    @XmlElement(name = "Authenticator")
+    protected AuthenticatorBaseType authenticator;
+    @XmlElement(name = "AuthenticatorTransportProtocol")
+    protected AuthenticatorTransportProtocolType authenticatorTransportProtocol;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the principalAuthenticationMechanism property.
+     *
+     * @return possible object is {@link PrincipalAuthenticationMechanismType }
+     */
+    public PrincipalAuthenticationMechanismType getPrincipalAuthenticationMechanism() {
+        return principalAuthenticationMechanism;
+    }
+
+    /**
+     * Sets the value of the principalAuthenticationMechanism property.
+     *
+     * @param value allowed object is {@link PrincipalAuthenticationMechanismType }
+     */
+    public void setPrincipalAuthenticationMechanism(PrincipalAuthenticationMechanismType value) {
+        this.principalAuthenticationMechanism = value;
+    }
+
+    /**
+     * Gets the value of the authenticator property.
+     *
+     * @return possible object is {@link AuthenticatorBaseType }
+     */
+    public AuthenticatorBaseType getAuthenticator() {
+        return authenticator;
+    }
+
+    /**
+     * Sets the value of the authenticator property.
+     *
+     * @param value allowed object is {@link AuthenticatorBaseType }
+     */
+    public void setAuthenticator(AuthenticatorBaseType value) {
+        this.authenticator = value;
+    }
+
+    /**
+     * Gets the value of the authenticatorTransportProtocol property.
+     *
+     * @return possible object is {@link AuthenticatorTransportProtocolType }
+     */
+    public AuthenticatorTransportProtocolType getAuthenticatorTransportProtocol() {
+        return authenticatorTransportProtocol;
+    }
+
+    /**
+     * Sets the value of the authenticatorTransportProtocol property.
+     *
+     * @param value allowed object is {@link AuthenticatorTransportProtocolType }
+     */
+    public void setAuthenticatorTransportProtocol(AuthenticatorTransportProtocolType value) {
+        this.authenticatorTransportProtocol = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/BooleanType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/BooleanType.java
new file mode 100755
index 0000000000..9d268df652
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/BooleanType.java
@@ -0,0 +1,75 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlEnum;
+import javax.xml.bind.annotation.XmlEnumValue;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for booleanType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="booleanType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *     &lt;enumeration value="true"/>
+ *     &lt;enumeration value="false"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+@XmlType(name = "booleanType")
+@XmlEnum
+public enum BooleanType {
+
+    @XmlEnumValue("true")
+    TRUE("true"), @XmlEnumValue("false")
+    FALSE("false");
+    private final String value;
+
+    BooleanType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static BooleanType fromValue(String v) {
+        for (BooleanType c : BooleanType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ComplexAuthenticatorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ComplexAuthenticatorType.java
new file mode 100755
index 0000000000..9a159d9cfe
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ComplexAuthenticatorType.java
@@ -0,0 +1,133 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElementRef;
+import javax.xml.bind.annotation.XmlElementRefs;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ComplexAuthenticatorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ComplexAuthenticatorType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;group ref="{urn:oasis:names:tc:SAML:2.0:ac}AuthenticatorChoiceGroup"/>
+ *         &lt;group ref="{urn:oasis:names:tc:SAML:2.0:ac}AuthenticatorSequenceGroup"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "ComplexAuthenticatorType", propOrder = {"content"})
+public class ComplexAuthenticatorType {
+
+    @XmlElementRefs({
+            @XmlElementRef(name = "ComplexAuthenticator", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "PreviousSession", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "ZeroKnowledge", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "RestrictedPassword", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "IPAddress", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "SharedSecretDynamicPlaintext", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "DigSig", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "SharedSecretChallengeResponse", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "SubscriberLineNumber", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "ResumeSession", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "UserSuffix", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "Password", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "AsymmetricDecryption", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "Extension", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class),
+            @XmlElementRef(name = "AsymmetricKeyAgreement", namespace = "urn:oasis:names:tc:SAML:2.0:ac", type = JAXBElement.class)})
+    protected List<JAXBElement<?>> content;
+
+    /**
+     * Gets the rest of the content model.
+     *
+     * <p>
+     * You are getting this "catch-all" property because of the following reason: The field name "PreviousSession" is
+     * used by
+     * two different parts of a schema. See: line 575 of file:/home/anil/saml2/saml-schema-authn-context-types-2.0.xsd
+     * line 556
+     * of file:/home/anil/saml2/saml-schema-authn-context-types-2.0.xsd
+     * <p>
+     * To get rid of this property, apply a property customization to one of both of the following declarations to
+     * change their
+     * names: Gets the value of the content property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * content
+     * property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getContent().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link JAXBElement }{@code <}{@link
+     * ComplexAuthenticatorType }
+     * {@code >} {@link JAXBElement }{@code <}{@link ExtensionOnlyType }{@code >} {@link JAXBElement }{@code <}
+     * {@link ExtensionOnlyType }{@code >} {@link JAXBElement }{@code <}{@link RestrictedPasswordType }{@code >}
+     * {@link JAXBElement }{@code <}{@link ExtensionOnlyType }{@code >} {@link JAXBElement }{@code <}{@link
+     * ExtensionOnlyType }
+     * {@code >} {@link JAXBElement }{@code <}{@link PublicKeyType }{@code >} {@link JAXBElement }{@code <}
+     * {@link SharedSecretChallengeResponseType }{@code >} {@link JAXBElement }{@code <}{@link ExtensionOnlyType }{@code
+     * >}
+     * {@link JAXBElement }{@code <}{@link ExtensionOnlyType }{@code >} {@link JAXBElement }{@code <}{@link
+     * ExtensionOnlyType }
+     * {@code >} {@link JAXBElement }{@code <}{@link PasswordType }{@code >} {@link JAXBElement }{@code <}{@link
+     * PublicKeyType }
+     * {@code >} {@link JAXBElement }{@code <}{@link ExtensionType }{@code >} {@link JAXBElement }{@code <}{@link
+     * PublicKeyType }
+     * {@code >}
+     */
+    public List<JAXBElement<?>> getContent() {
+        if (content == null) {
+            content = new ArrayList<JAXBElement<?>>();
+        }
+        return this.content;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/DeviceTypeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/DeviceTypeType.java
new file mode 100755
index 0000000000..ebcd889ea2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/DeviceTypeType.java
@@ -0,0 +1,75 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlEnum;
+import javax.xml.bind.annotation.XmlEnumValue;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for DeviceTypeType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="DeviceTypeType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *     &lt;enumeration value="hardware"/>
+ *     &lt;enumeration value="software"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+@XmlType(name = "DeviceTypeType")
+@XmlEnum
+public enum DeviceTypeType {
+
+    @XmlEnumValue("hardware")
+    HARDWARE("hardware"), @XmlEnumValue("software")
+    SOFTWARE("software");
+    private final String value;
+
+    DeviceTypeType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static DeviceTypeType fromValue(String v) {
+        for (DeviceTypeType c : DeviceTypeType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ExtensionOnlyType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ExtensionOnlyType.java
new file mode 100755
index 0000000000..50f60e0fb5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ExtensionOnlyType.java
@@ -0,0 +1,88 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ExtensionOnlyType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ExtensionOnlyType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "ExtensionOnlyType", propOrder = {"extension"})
+public class ExtensionOnlyType {
+
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ExtensionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ExtensionType.java
new file mode 100755
index 0000000000..cfaa01c059
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/ExtensionType.java
@@ -0,0 +1,89 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAnyElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ExtensionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ExtensionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "ExtensionType", propOrder = {"any"})
+public class ExtensionType {
+
+    @XmlAnyElement(lax = true)
+    protected List<Object> any;
+
+    /**
+     * Gets the value of the any property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * any
+     * property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getAny().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link org.w3c.dom.Element } {@link Object }
+     */
+    public List<Object> getAny() {
+        if (any == null) {
+            any = new ArrayList<Object>();
+        }
+        return this.any;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/Generation.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/Generation.java
new file mode 100755
index 0000000000..939079c3e0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/Generation.java
@@ -0,0 +1,87 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import javax.xml.bind.annotation.adapters.CollapsedStringAdapter;
+import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
+
+/**
+ * <p>
+ * Java class for anonymous complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType>
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="mechanism" use="required">
+ *         &lt;simpleType>
+ *           &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *             &lt;enumeration value="principalchosen"/>
+ *             &lt;enumeration value="automatic"/>
+ *           &lt;/restriction>
+ *         &lt;/simpleType>
+ *       &lt;/attribute>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "")
+@XmlRootElement(name = "Generation")
+public class Generation {
+
+    @XmlAttribute(required = true)
+    @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
+    protected String mechanism;
+
+    /**
+     * Gets the value of the mechanism property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getMechanism() {
+        return mechanism;
+    }
+
+    /**
+     * Sets the value of the mechanism property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMechanism(String value) {
+        this.mechanism = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/GoverningAgreementRefType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/GoverningAgreementRefType.java
new file mode 100755
index 0000000000..4ba49469d5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/GoverningAgreementRefType.java
@@ -0,0 +1,77 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlSchemaType;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for GoverningAgreementRefType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="GoverningAgreementRefType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="governingAgreementRef" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "GoverningAgreementRefType")
+public class GoverningAgreementRefType {
+
+    @XmlAttribute(required = true)
+    @XmlSchemaType(name = "anyURI")
+    protected String governingAgreementRef;
+
+    /**
+     * Gets the value of the governingAgreementRef property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getGoverningAgreementRef() {
+        return governingAgreementRef;
+    }
+
+    /**
+     * Sets the value of the governingAgreementRef property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setGoverningAgreementRef(String value) {
+        this.governingAgreementRef = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/GoverningAgreementsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/GoverningAgreementsType.java
new file mode 100755
index 0000000000..5081049edb
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/GoverningAgreementsType.java
@@ -0,0 +1,88 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for GoverningAgreementsType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="GoverningAgreementsType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}GoverningAgreementRef" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "GoverningAgreementsType", propOrder = {"governingAgreementRef"})
+public class GoverningAgreementsType {
+
+    @XmlElement(name = "GoverningAgreementRef", required = true)
+    protected List<GoverningAgreementRefType> governingAgreementRef;
+
+    /**
+     * Gets the value of the governingAgreementRef property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * governingAgreementRef property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getGoverningAgreementRef().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link GoverningAgreementRefType }
+     */
+    public List<GoverningAgreementRefType> getGoverningAgreementRef() {
+        if (governingAgreementRef == null) {
+            governingAgreementRef = new ArrayList<GoverningAgreementRefType>();
+        }
+        return this.governingAgreementRef;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/IdentificationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/IdentificationType.java
new file mode 100755
index 0000000000..f0688842af
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/IdentificationType.java
@@ -0,0 +1,174 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for IdentificationType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="IdentificationType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}PhysicalVerification" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}WrittenConsent" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}GoverningAgreements" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="nym" type="{urn:oasis:names:tc:SAML:2.0:ac}nymType" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "IdentificationType", propOrder = {"physicalVerification", "writtenConsent", "governingAgreements",
+        "extension"})
+public class IdentificationType {
+
+    @XmlElement(name = "PhysicalVerification")
+    protected PhysicalVerification physicalVerification;
+    @XmlElement(name = "WrittenConsent")
+    protected ExtensionOnlyType writtenConsent;
+    @XmlElement(name = "GoverningAgreements")
+    protected GoverningAgreementsType governingAgreements;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+    @XmlAttribute
+    protected NymType nym;
+
+    /**
+     * Gets the value of the physicalVerification property.
+     *
+     * @return possible object is {@link PhysicalVerification }
+     */
+    public PhysicalVerification getPhysicalVerification() {
+        return physicalVerification;
+    }
+
+    /**
+     * Sets the value of the physicalVerification property.
+     *
+     * @param value allowed object is {@link PhysicalVerification }
+     */
+    public void setPhysicalVerification(PhysicalVerification value) {
+        this.physicalVerification = value;
+    }
+
+    /**
+     * Gets the value of the writtenConsent property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getWrittenConsent() {
+        return writtenConsent;
+    }
+
+    /**
+     * Sets the value of the writtenConsent property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setWrittenConsent(ExtensionOnlyType value) {
+        this.writtenConsent = value;
+    }
+
+    /**
+     * Gets the value of the governingAgreements property.
+     *
+     * @return possible object is {@link GoverningAgreementsType }
+     */
+    public GoverningAgreementsType getGoverningAgreements() {
+        return governingAgreements;
+    }
+
+    /**
+     * Sets the value of the governingAgreements property.
+     *
+     * @param value allowed object is {@link GoverningAgreementsType }
+     */
+    public void setGoverningAgreements(GoverningAgreementsType value) {
+        this.governingAgreements = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+    /**
+     * Gets the value of the nym property.
+     *
+     * @return possible object is {@link NymType }
+     */
+    public NymType getNym() {
+        return nym;
+    }
+
+    /**
+     * Sets the value of the nym property.
+     *
+     * @param value allowed object is {@link NymType }
+     */
+    public void setNym(NymType value) {
+        this.nym = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeyActivationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeyActivationType.java
new file mode 100755
index 0000000000..2f1b582dba
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeyActivationType.java
@@ -0,0 +1,109 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for KeyActivationType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeyActivationType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}ActivationPin" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "KeyActivationType", propOrder = {"activationPin", "extension"})
+public class KeyActivationType {
+
+    @XmlElement(name = "ActivationPin")
+    protected ActivationPinType activationPin;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the activationPin property.
+     *
+     * @return possible object is {@link ActivationPinType }
+     */
+    public ActivationPinType getActivationPin() {
+        return activationPin;
+    }
+
+    /**
+     * Sets the value of the activationPin property.
+     *
+     * @param value allowed object is {@link ActivationPinType }
+     */
+    public void setActivationPin(ActivationPinType value) {
+        this.activationPin = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeySharingType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeySharingType.java
new file mode 100755
index 0000000000..15bbd09451
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeySharingType.java
@@ -0,0 +1,71 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for KeySharingType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeySharingType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="sharing" use="required" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "KeySharingType")
+public class KeySharingType {
+
+    @XmlAttribute(required = true)
+    protected boolean sharing;
+
+    /**
+     * Gets the value of the sharing property.
+     */
+    public boolean isSharing() {
+        return sharing;
+    }
+
+    /**
+     * Sets the value of the sharing property.
+     */
+    public void setSharing(boolean value) {
+        this.sharing = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeyStorageType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeyStorageType.java
new file mode 100755
index 0000000000..81965a18bd
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/KeyStorageType.java
@@ -0,0 +1,75 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for KeyStorageType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeyStorageType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="medium" use="required" type="{urn:oasis:names:tc:SAML:2.0:ac}mediumType" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "KeyStorageType")
+public class KeyStorageType {
+
+    @XmlAttribute(required = true)
+    protected MediumType medium;
+
+    /**
+     * Gets the value of the medium property.
+     *
+     * @return possible object is {@link MediumType }
+     */
+    public MediumType getMedium() {
+        return medium;
+    }
+
+    /**
+     * Sets the value of the medium property.
+     *
+     * @param value allowed object is {@link MediumType }
+     */
+    public void setMedium(MediumType value) {
+        this.medium = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/LengthType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/LengthType.java
new file mode 100755
index 0000000000..9694aee7a0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/LengthType.java
@@ -0,0 +1,99 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlSeeAlso;
+import javax.xml.bind.annotation.XmlType;
+import java.math.BigInteger;
+
+/**
+ * <p>
+ * Java class for LengthType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="LengthType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="min" use="required" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *       &lt;attribute name="max" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "LengthType")
+@XmlSeeAlso({RestrictedLengthType.class})
+public class LengthType {
+
+    @XmlAttribute(required = true)
+    protected BigInteger min;
+    @XmlAttribute
+    protected BigInteger max;
+
+    /**
+     * Gets the value of the min property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getMin() {
+        return min;
+    }
+
+    /**
+     * Sets the value of the min property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setMin(BigInteger value) {
+        this.min = value;
+    }
+
+    /**
+     * Gets the value of the max property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getMax() {
+        return max;
+    }
+
+    /**
+     * Sets the value of the max property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setMax(BigInteger value) {
+        this.max = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/MediumType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/MediumType.java
new file mode 100755
index 0000000000..e955438572
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/MediumType.java
@@ -0,0 +1,81 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlEnum;
+import javax.xml.bind.annotation.XmlEnumValue;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for mediumType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="mediumType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *     &lt;enumeration value="memory"/>
+ *     &lt;enumeration value="smartcard"/>
+ *     &lt;enumeration value="token"/>
+ *     &lt;enumeration value="MobileDevice"/>
+ *     &lt;enumeration value="MobileAuthCard"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+@XmlType(name = "mediumType")
+@XmlEnum
+public enum MediumType {
+
+    @XmlEnumValue("memory")
+    MEMORY("memory"), @XmlEnumValue("smartcard")
+    SMARTCARD("smartcard"), @XmlEnumValue("token")
+    TOKEN("token"), @XmlEnumValue("MobileDevice")
+    MOBILE_DEVICE("MobileDevice"), @XmlEnumValue("MobileAuthCard")
+    MOBILE_AUTH_CARD("MobileAuthCard");
+    private final String value;
+
+    MediumType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static MediumType fromValue(String v) {
+        for (MediumType c : MediumType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/NymType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/NymType.java
new file mode 100755
index 0000000000..25d62bf6fd
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/NymType.java
@@ -0,0 +1,77 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlEnum;
+import javax.xml.bind.annotation.XmlEnumValue;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for nymType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="nymType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *     &lt;enumeration value="anonymity"/>
+ *     &lt;enumeration value="verinymity"/>
+ *     &lt;enumeration value="pseudonymity"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+@XmlType(name = "nymType")
+@XmlEnum
+public enum NymType {
+
+    @XmlEnumValue("anonymity")
+    ANONYMITY("anonymity"), @XmlEnumValue("verinymity")
+    VERINYMITY("verinymity"), @XmlEnumValue("pseudonymity")
+    PSEUDONYMITY("pseudonymity");
+    private final String value;
+
+    NymType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static NymType fromValue(String v) {
+        for (NymType c : NymType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/OperationalProtectionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/OperationalProtectionType.java
new file mode 100755
index 0000000000..66ccdedcf3
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/OperationalProtectionType.java
@@ -0,0 +1,130 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for OperationalProtectionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="OperationalProtectionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}SecurityAudit" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}DeactivationCallCenter" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "OperationalProtectionType", propOrder = {"securityAudit", "deactivationCallCenter", "extension"})
+public class OperationalProtectionType {
+
+    @XmlElement(name = "SecurityAudit")
+    protected SecurityAuditType securityAudit;
+    @XmlElement(name = "DeactivationCallCenter")
+    protected ExtensionOnlyType deactivationCallCenter;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the securityAudit property.
+     *
+     * @return possible object is {@link SecurityAuditType }
+     */
+    public SecurityAuditType getSecurityAudit() {
+        return securityAudit;
+    }
+
+    /**
+     * Sets the value of the securityAudit property.
+     *
+     * @param value allowed object is {@link SecurityAuditType }
+     */
+    public void setSecurityAudit(SecurityAuditType value) {
+        this.securityAudit = value;
+    }
+
+    /**
+     * Gets the value of the deactivationCallCenter property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getDeactivationCallCenter() {
+        return deactivationCallCenter;
+    }
+
+    /**
+     * Sets the value of the deactivationCallCenter property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setDeactivationCallCenter(ExtensionOnlyType value) {
+        this.deactivationCallCenter = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PasswordType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PasswordType.java
new file mode 100755
index 0000000000..1e4df238cb
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PasswordType.java
@@ -0,0 +1,177 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlSchemaType;
+import javax.xml.bind.annotation.XmlSeeAlso;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for PasswordType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PasswordType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Length" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Alphabet" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Generation" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ExternalVerification" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "PasswordType", propOrder = {"length", "alphabet", "generation", "extension"})
+@XmlSeeAlso({RestrictedPasswordType.class})
+public class PasswordType {
+
+    @XmlElement(name = "Length")
+    protected LengthType length;
+    @XmlElement(name = "Alphabet")
+    protected AlphabetType alphabet;
+    @XmlElement(name = "Generation")
+    protected Generation generation;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+    @XmlAttribute(name = "ExternalVerification")
+    @XmlSchemaType(name = "anyURI")
+    protected String externalVerification;
+
+    /**
+     * Gets the value of the length property.
+     *
+     * @return possible object is {@link LengthType }
+     */
+    public LengthType getLength() {
+        return length;
+    }
+
+    /**
+     * Sets the value of the length property.
+     *
+     * @param value allowed object is {@link LengthType }
+     */
+    public void setLength(LengthType value) {
+        this.length = value;
+    }
+
+    /**
+     * Gets the value of the alphabet property.
+     *
+     * @return possible object is {@link AlphabetType }
+     */
+    public AlphabetType getAlphabet() {
+        return alphabet;
+    }
+
+    /**
+     * Sets the value of the alphabet property.
+     *
+     * @param value allowed object is {@link AlphabetType }
+     */
+    public void setAlphabet(AlphabetType value) {
+        this.alphabet = value;
+    }
+
+    /**
+     * Gets the value of the generation property.
+     *
+     * @return possible object is {@link Generation }
+     */
+    public Generation getGeneration() {
+        return generation;
+    }
+
+    /**
+     * Sets the value of the generation property.
+     *
+     * @param value allowed object is {@link Generation }
+     */
+    public void setGeneration(Generation value) {
+        this.generation = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+    /**
+     * Gets the value of the externalVerification property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getExternalVerification() {
+        return externalVerification;
+    }
+
+    /**
+     * Sets the value of the externalVerification property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setExternalVerification(String value) {
+        this.externalVerification = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PhysicalVerification.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PhysicalVerification.java
new file mode 100755
index 0000000000..c84d589277
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PhysicalVerification.java
@@ -0,0 +1,87 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlRootElement;
+import javax.xml.bind.annotation.XmlType;
+import javax.xml.bind.annotation.adapters.CollapsedStringAdapter;
+import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
+
+/**
+ * <p>
+ * Java class for anonymous complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType>
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="credentialLevel">
+ *         &lt;simpleType>
+ *           &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *             &lt;enumeration value="primary"/>
+ *             &lt;enumeration value="secondary"/>
+ *           &lt;/restriction>
+ *         &lt;/simpleType>
+ *       &lt;/attribute>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "")
+@XmlRootElement(name = "PhysicalVerification")
+public class PhysicalVerification {
+
+    @XmlAttribute
+    @XmlJavaTypeAdapter(CollapsedStringAdapter.class)
+    protected String credentialLevel;
+
+    /**
+     * Gets the value of the credentialLevel property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getCredentialLevel() {
+        return credentialLevel;
+    }
+
+    /**
+     * Sets the value of the credentialLevel property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setCredentialLevel(String value) {
+        this.credentialLevel = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PrincipalAuthenticationMechanismType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PrincipalAuthenticationMechanismType.java
new file mode 100755
index 0000000000..1c9b92e51a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PrincipalAuthenticationMechanismType.java
@@ -0,0 +1,217 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.math.BigInteger;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for PrincipalAuthenticationMechanismType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PrincipalAuthenticationMechanismType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Password" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}RestrictedPassword" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Token" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Smartcard" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}ActivationPin" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="preauth" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "PrincipalAuthenticationMechanismType", propOrder = {"password", "restrictedPassword", "token", "smartcard",
+        "activationPin", "extension"})
+public class PrincipalAuthenticationMechanismType {
+
+    @XmlElement(name = "Password")
+    protected PasswordType password;
+    @XmlElement(name = "RestrictedPassword")
+    protected RestrictedPasswordType restrictedPassword;
+    @XmlElement(name = "Token")
+    protected TokenType token;
+    @XmlElement(name = "Smartcard")
+    protected ExtensionOnlyType smartcard;
+    @XmlElement(name = "ActivationPin")
+    protected ActivationPinType activationPin;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+    @XmlAttribute
+    protected BigInteger preauth;
+
+    /**
+     * Gets the value of the password property.
+     *
+     * @return possible object is {@link PasswordType }
+     */
+    public PasswordType getPassword() {
+        return password;
+    }
+
+    /**
+     * Sets the value of the password property.
+     *
+     * @param value allowed object is {@link PasswordType }
+     */
+    public void setPassword(PasswordType value) {
+        this.password = value;
+    }
+
+    /**
+     * Gets the value of the restrictedPassword property.
+     *
+     * @return possible object is {@link RestrictedPasswordType }
+     */
+    public RestrictedPasswordType getRestrictedPassword() {
+        return restrictedPassword;
+    }
+
+    /**
+     * Sets the value of the restrictedPassword property.
+     *
+     * @param value allowed object is {@link RestrictedPasswordType }
+     */
+    public void setRestrictedPassword(RestrictedPasswordType value) {
+        this.restrictedPassword = value;
+    }
+
+    /**
+     * Gets the value of the token property.
+     *
+     * @return possible object is {@link TokenType }
+     */
+    public TokenType getToken() {
+        return token;
+    }
+
+    /**
+     * Sets the value of the token property.
+     *
+     * @param value allowed object is {@link TokenType }
+     */
+    public void setToken(TokenType value) {
+        this.token = value;
+    }
+
+    /**
+     * Gets the value of the smartcard property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getSmartcard() {
+        return smartcard;
+    }
+
+    /**
+     * Sets the value of the smartcard property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setSmartcard(ExtensionOnlyType value) {
+        this.smartcard = value;
+    }
+
+    /**
+     * Gets the value of the activationPin property.
+     *
+     * @return possible object is {@link ActivationPinType }
+     */
+    public ActivationPinType getActivationPin() {
+        return activationPin;
+    }
+
+    /**
+     * Sets the value of the activationPin property.
+     *
+     * @param value allowed object is {@link ActivationPinType }
+     */
+    public void setActivationPin(ActivationPinType value) {
+        this.activationPin = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+    /**
+     * Gets the value of the preauth property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getPreauth() {
+        return preauth;
+    }
+
+    /**
+     * Sets the value of the preauth property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setPreauth(BigInteger value) {
+        this.preauth = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PrivateKeyProtectionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PrivateKeyProtectionType.java
new file mode 100755
index 0000000000..a60767de99
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PrivateKeyProtectionType.java
@@ -0,0 +1,151 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for PrivateKeyProtectionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PrivateKeyProtectionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}KeyActivation" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}KeyStorage" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}KeySharing" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "PrivateKeyProtectionType", propOrder = {"keyActivation", "keyStorage", "keySharing", "extension"})
+public class PrivateKeyProtectionType {
+
+    @XmlElement(name = "KeyActivation")
+    protected KeyActivationType keyActivation;
+    @XmlElement(name = "KeyStorage")
+    protected KeyStorageType keyStorage;
+    @XmlElement(name = "KeySharing")
+    protected KeySharingType keySharing;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the keyActivation property.
+     *
+     * @return possible object is {@link KeyActivationType }
+     */
+    public KeyActivationType getKeyActivation() {
+        return keyActivation;
+    }
+
+    /**
+     * Sets the value of the keyActivation property.
+     *
+     * @param value allowed object is {@link KeyActivationType }
+     */
+    public void setKeyActivation(KeyActivationType value) {
+        this.keyActivation = value;
+    }
+
+    /**
+     * Gets the value of the keyStorage property.
+     *
+     * @return possible object is {@link KeyStorageType }
+     */
+    public KeyStorageType getKeyStorage() {
+        return keyStorage;
+    }
+
+    /**
+     * Sets the value of the keyStorage property.
+     *
+     * @param value allowed object is {@link KeyStorageType }
+     */
+    public void setKeyStorage(KeyStorageType value) {
+        this.keyStorage = value;
+    }
+
+    /**
+     * Gets the value of the keySharing property.
+     *
+     * @return possible object is {@link KeySharingType }
+     */
+    public KeySharingType getKeySharing() {
+        return keySharing;
+    }
+
+    /**
+     * Sets the value of the keySharing property.
+     *
+     * @param value allowed object is {@link KeySharingType }
+     */
+    public void setKeySharing(KeySharingType value) {
+        this.keySharing = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PublicKeyType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PublicKeyType.java
new file mode 100755
index 0000000000..5cc58d29d8
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/PublicKeyType.java
@@ -0,0 +1,112 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlSchemaType;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for PublicKeyType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PublicKeyType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="keyValidation" type="{http://www.w3.org/2001/XMLSchema}anySimpleType" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "PublicKeyType", propOrder = {"extension"})
+public class PublicKeyType {
+
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+    @XmlAttribute
+    @XmlSchemaType(name = "anySimpleType")
+    protected String keyValidation;
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+    /**
+     * Gets the value of the keyValidation property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getKeyValidation() {
+        return keyValidation;
+    }
+
+    /**
+     * Sets the value of the keyValidation property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setKeyValidation(String value) {
+        this.keyValidation = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/RestrictedLengthType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/RestrictedLengthType.java
new file mode 100755
index 0000000000..8b3cc090b0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/RestrictedLengthType.java
@@ -0,0 +1,60 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for RestrictedLengthType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RestrictedLengthType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{urn:oasis:names:tc:SAML:2.0:ac}LengthType">
+ *       &lt;attribute name="min" use="required">
+ *         &lt;simpleType>
+ *           &lt;restriction base="{http://www.w3.org/2001/XMLSchema}integer">
+ *             &lt;minInclusive value="3"/>
+ *           &lt;/restriction>
+ *         &lt;/simpleType>
+ *       &lt;/attribute>
+ *       &lt;attribute name="max" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "RestrictedLengthType")
+public class RestrictedLengthType extends LengthType {
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/RestrictedPasswordType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/RestrictedPasswordType.java
new file mode 100755
index 0000000000..e90e4a21bd
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/RestrictedPasswordType.java
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlType;
+
+/**
+ * <p>
+ * Java class for RestrictedPasswordType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RestrictedPasswordType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{urn:oasis:names:tc:SAML:2.0:ac}PasswordType">
+ *       &lt;sequence>
+ *         &lt;element name="Length" type="{urn:oasis:names:tc:SAML:2.0:ac}RestrictedLengthType"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Generation" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ExternalVerification" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "RestrictedPasswordType")
+public class RestrictedPasswordType extends PasswordType {
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SecretKeyProtectionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SecretKeyProtectionType.java
new file mode 100755
index 0000000000..8719082867
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SecretKeyProtectionType.java
@@ -0,0 +1,130 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SecretKeyProtectionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SecretKeyProtectionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}KeyActivation" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}KeyStorage" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "SecretKeyProtectionType", propOrder = {"keyActivation", "keyStorage", "extension"})
+public class SecretKeyProtectionType {
+
+    @XmlElement(name = "KeyActivation")
+    protected KeyActivationType keyActivation;
+    @XmlElement(name = "KeyStorage")
+    protected KeyStorageType keyStorage;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the keyActivation property.
+     *
+     * @return possible object is {@link KeyActivationType }
+     */
+    public KeyActivationType getKeyActivation() {
+        return keyActivation;
+    }
+
+    /**
+     * Sets the value of the keyActivation property.
+     *
+     * @param value allowed object is {@link KeyActivationType }
+     */
+    public void setKeyActivation(KeyActivationType value) {
+        this.keyActivation = value;
+    }
+
+    /**
+     * Gets the value of the keyStorage property.
+     *
+     * @return possible object is {@link KeyStorageType }
+     */
+    public KeyStorageType getKeyStorage() {
+        return keyStorage;
+    }
+
+    /**
+     * Sets the value of the keyStorage property.
+     *
+     * @param value allowed object is {@link KeyStorageType }
+     */
+    public void setKeyStorage(KeyStorageType value) {
+        this.keyStorage = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SecurityAuditType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SecurityAuditType.java
new file mode 100755
index 0000000000..8cb1fa6e31
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SecurityAuditType.java
@@ -0,0 +1,109 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SecurityAuditType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SecurityAuditType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}SwitchAudit" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "SecurityAuditType", propOrder = {"switchAudit", "extension"})
+public class SecurityAuditType {
+
+    @XmlElement(name = "SwitchAudit")
+    protected ExtensionOnlyType switchAudit;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the switchAudit property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getSwitchAudit() {
+        return switchAudit;
+    }
+
+    /**
+     * Sets the value of the switchAudit property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setSwitchAudit(ExtensionOnlyType value) {
+        this.switchAudit = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SharedSecretChallengeResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SharedSecretChallengeResponseType.java
new file mode 100755
index 0000000000..ab68dbb3b0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/SharedSecretChallengeResponseType.java
@@ -0,0 +1,117 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlSchemaType;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * This element indicates that the Principal has been authenticated by a challenge-response protocol utilizing shared
+ * secret
+ * keys and symmetric cryptography.
+ *
+ *
+ * <p>
+ * Java class for SharedSecretChallengeResponseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SharedSecretChallengeResponseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="method" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "SharedSecretChallengeResponseType", propOrder = {"extension"})
+public class SharedSecretChallengeResponseType {
+
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+    @XmlAttribute
+    @XmlSchemaType(name = "anyURI")
+    protected String method;
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+    /**
+     * Gets the value of the method property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getMethod() {
+        return method;
+    }
+
+    /**
+     * Sets the value of the method property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMethod(String value) {
+        this.method = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TechnicalProtectionBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TechnicalProtectionBaseType.java
new file mode 100755
index 0000000000..5832f61ee2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TechnicalProtectionBaseType.java
@@ -0,0 +1,132 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for TechnicalProtectionBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TechnicalProtectionBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;choice minOccurs="0">
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}PrivateKeyProtection"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}SecretKeyProtection"/>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "TechnicalProtectionBaseType", propOrder = {"privateKeyProtection", "secretKeyProtection", "extension"})
+public class TechnicalProtectionBaseType {
+
+    @XmlElement(name = "PrivateKeyProtection")
+    protected PrivateKeyProtectionType privateKeyProtection;
+    @XmlElement(name = "SecretKeyProtection")
+    protected SecretKeyProtectionType secretKeyProtection;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the privateKeyProtection property.
+     *
+     * @return possible object is {@link PrivateKeyProtectionType }
+     */
+    public PrivateKeyProtectionType getPrivateKeyProtection() {
+        return privateKeyProtection;
+    }
+
+    /**
+     * Sets the value of the privateKeyProtection property.
+     *
+     * @param value allowed object is {@link PrivateKeyProtectionType }
+     */
+    public void setPrivateKeyProtection(PrivateKeyProtectionType value) {
+        this.privateKeyProtection = value;
+    }
+
+    /**
+     * Gets the value of the secretKeyProtection property.
+     *
+     * @return possible object is {@link SecretKeyProtectionType }
+     */
+    public SecretKeyProtectionType getSecretKeyProtection() {
+        return secretKeyProtection;
+    }
+
+    /**
+     * Sets the value of the secretKeyProtection property.
+     *
+     * @param value allowed object is {@link SecretKeyProtectionType }
+     */
+    public void setSecretKeyProtection(SecretKeyProtectionType value) {
+        this.secretKeyProtection = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TimeSyncTokenType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TimeSyncTokenType.java
new file mode 100755
index 0000000000..c71ec53a25
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TimeSyncTokenType.java
@@ -0,0 +1,118 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+import javax.xml.bind.annotation.XmlType;
+import java.math.BigInteger;
+
+/**
+ * <p>
+ * Java class for TimeSyncTokenType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TimeSyncTokenType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="DeviceType" use="required" type="{urn:oasis:names:tc:SAML:2.0:ac}DeviceTypeType" />
+ *       &lt;attribute name="SeedLength" use="required" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *       &lt;attribute name="DeviceInHand" use="required" type="{urn:oasis:names:tc:SAML:2.0:ac}booleanType" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "TimeSyncTokenType")
+public class TimeSyncTokenType {
+
+    @XmlAttribute(name = "DeviceType", required = true)
+    protected DeviceTypeType deviceType;
+    @XmlAttribute(name = "SeedLength", required = true)
+    protected BigInteger seedLength;
+    @XmlAttribute(name = "DeviceInHand", required = true)
+    protected BooleanType deviceInHand;
+
+    /**
+     * Gets the value of the deviceType property.
+     *
+     * @return possible object is {@link DeviceTypeType }
+     */
+    public DeviceTypeType getDeviceType() {
+        return deviceType;
+    }
+
+    /**
+     * Sets the value of the deviceType property.
+     *
+     * @param value allowed object is {@link DeviceTypeType }
+     */
+    public void setDeviceType(DeviceTypeType value) {
+        this.deviceType = value;
+    }
+
+    /**
+     * Gets the value of the seedLength property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getSeedLength() {
+        return seedLength;
+    }
+
+    /**
+     * Sets the value of the seedLength property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setSeedLength(BigInteger value) {
+        this.seedLength = value;
+    }
+
+    /**
+     * Gets the value of the deviceInHand property.
+     *
+     * @return possible object is {@link BooleanType }
+     */
+    public BooleanType getDeviceInHand() {
+        return deviceInHand;
+    }
+
+    /**
+     * Sets the value of the deviceInHand property.
+     *
+     * @param value allowed object is {@link BooleanType }
+     */
+    public void setDeviceInHand(BooleanType value) {
+        this.deviceInHand = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TokenType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TokenType.java
new file mode 100755
index 0000000000..995e1b2126
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/TokenType.java
@@ -0,0 +1,109 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+package org.keycloak.dom.saml.v2.ac;
+
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlElement;
+import javax.xml.bind.annotation.XmlType;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for TokenType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TokenType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}TimeSyncToken"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac}Extension" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+@XmlAccessorType(XmlAccessType.FIELD)
+@XmlType(name = "TokenType", propOrder = {"timeSyncToken", "extension"})
+public class TokenType {
+
+    @XmlElement(name = "TimeSyncToken", required = true)
+    protected TimeSyncTokenType timeSyncToken;
+    @XmlElement(name = "Extension")
+    protected List<ExtensionType> extension;
+
+    /**
+     * Gets the value of the timeSyncToken property.
+     *
+     * @return possible object is {@link TimeSyncTokenType }
+     */
+    public TimeSyncTokenType getTimeSyncToken() {
+        return timeSyncToken;
+    }
+
+    /**
+     * Sets the value of the timeSyncToken property.
+     *
+     * @param value allowed object is {@link TimeSyncTokenType }
+     */
+    public void setTimeSyncToken(TimeSyncTokenType value) {
+        this.timeSyncToken = value;
+    }
+
+    /**
+     * Gets the value of the extension property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * extension property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getExtension().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ExtensionType }
+     */
+    public List<ExtensionType> getExtension() {
+        if (extension == null) {
+            extension = new ArrayList<ExtensionType>();
+        }
+        return this.extension;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitDurationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitDurationType.java
new file mode 100755
index 0000000000..1e397ab1e4
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitDurationType.java
@@ -0,0 +1,57 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+import javax.xml.datatype.Duration;
+
+/**
+ * <p>
+ * Java class for ActivationLimitDurationType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationLimitDurationType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="duration" use="required" type="{http://www.w3.org/2001/XMLSchema}duration" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ActivationLimitDurationType {
+
+    protected Duration duration;
+
+    public ActivationLimitDurationType(Duration theDuration) {
+        this.duration = theDuration;
+    }
+
+    /**
+     * Gets the value of the duration property.
+     *
+     * @return possible object is {@link Duration }
+     */
+    public Duration getDuration() {
+        return duration;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitSessionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitSessionType.java
new file mode 100755
index 0000000000..005d085753
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitSessionType.java
@@ -0,0 +1,39 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for ActivationLimitSessionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationLimitSessionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ActivationLimitSessionType {
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitType.java
new file mode 100755
index 0000000000..fa88a65536
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitType.java
@@ -0,0 +1,102 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for ActivationLimitType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationLimitType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ActivationLimitDuration"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ActivationLimitUsages"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ActivationLimitSession"/>
+ *       &lt;/choice>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ActivationLimitType {
+
+    protected ActivationLimitDurationType activationLimitDuration;
+    protected ActivationLimitUsagesType activationLimitUsages;
+    protected ActivationLimitSessionType activationLimitSession;
+
+    /**
+     * Gets the value of the activationLimitDuration property.
+     *
+     * @return possible object is {@link ActivationLimitDurationType }
+     */
+    public ActivationLimitDurationType getActivationLimitDuration() {
+        return activationLimitDuration;
+    }
+
+    /**
+     * Sets the value of the activationLimitDuration property.
+     *
+     * @param value allowed object is {@link ActivationLimitDurationType }
+     */
+    public void setActivationLimitDuration(ActivationLimitDurationType value) {
+        this.activationLimitDuration = value;
+    }
+
+    /**
+     * Gets the value of the activationLimitUsages property.
+     *
+     * @return possible object is {@link ActivationLimitUsagesType }
+     */
+    public ActivationLimitUsagesType getActivationLimitUsages() {
+        return activationLimitUsages;
+    }
+
+    /**
+     * Sets the value of the activationLimitUsages property.
+     *
+     * @param value allowed object is {@link ActivationLimitUsagesType }
+     */
+    public void setActivationLimitUsages(ActivationLimitUsagesType value) {
+        this.activationLimitUsages = value;
+    }
+
+    /**
+     * Gets the value of the activationLimitSession property.
+     *
+     * @return possible object is {@link ActivationLimitSessionType }
+     */
+    public ActivationLimitSessionType getActivationLimitSession() {
+        return activationLimitSession;
+    }
+
+    /**
+     * Sets the value of the activationLimitSession property.
+     *
+     * @param value allowed object is {@link ActivationLimitSessionType }
+     */
+    public void setActivationLimitSession(ActivationLimitSessionType value) {
+        this.activationLimitSession = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitUsagesType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitUsagesType.java
new file mode 100755
index 0000000000..e7d402facd
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationLimitUsagesType.java
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+import java.math.BigInteger;
+
+/**
+ * <p>
+ * Java class for ActivationLimitUsagesType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationLimitUsagesType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="number" use="required" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+
+public class ActivationLimitUsagesType {
+
+    protected BigInteger number;
+
+    public ActivationLimitUsagesType(BigInteger theNumber) {
+        this.number = theNumber;
+    }
+
+    /**
+     * Gets the value of the number property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getNumber() {
+        return number;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationPinType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationPinType.java
new file mode 100755
index 0000000000..f76f629ba0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ActivationPinType.java
@@ -0,0 +1,124 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for ActivationPinType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActivationPinType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Length" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Alphabet" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Generation" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ActivationLimit"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ActivationPinType extends ExtensionListType {
+
+    protected LengthType length;
+    protected AlphabetType alphabet;
+    protected Generation generation;
+    protected ActivationLimitType activationLimit;
+
+    /**
+     * Gets the value of the length property.
+     *
+     * @return possible object is {@link LengthType }
+     */
+    public LengthType getLength() {
+        return length;
+    }
+
+    /**
+     * Sets the value of the length property.
+     *
+     * @param value allowed object is {@link LengthType }
+     */
+    public void setLength(LengthType value) {
+        this.length = value;
+    }
+
+    /**
+     * Gets the value of the alphabet property.
+     *
+     * @return possible object is {@link AlphabetType }
+     */
+    public AlphabetType getAlphabet() {
+        return alphabet;
+    }
+
+    /**
+     * Sets the value of the alphabet property.
+     *
+     * @param value allowed object is {@link AlphabetType }
+     */
+    public void setAlphabet(AlphabetType value) {
+        this.alphabet = value;
+    }
+
+    /**
+     * Gets the value of the generation property.
+     *
+     * @return possible object is {@link Generation }
+     */
+    public Generation getGeneration() {
+        return generation;
+    }
+
+    /**
+     * Sets the value of the generation property.
+     *
+     * @param value allowed object is {@link Generation }
+     */
+    public void setGeneration(Generation value) {
+        this.generation = value;
+    }
+
+    /**
+     * Gets the value of the activationLimit property.
+     *
+     * @return possible object is {@link ActivationLimitType }
+     */
+    public ActivationLimitType getActivationLimit() {
+        return activationLimit;
+    }
+
+    /**
+     * Sets the value of the activationLimit property.
+     *
+     * @param value allowed object is {@link ActivationLimitType }
+     */
+    public void setActivationLimit(ActivationLimitType value) {
+        this.activationLimit = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AlphabetType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AlphabetType.java
new file mode 100755
index 0000000000..495c9dff4d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AlphabetType.java
@@ -0,0 +1,100 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for AlphabetType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AlphabetType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="requiredChars" use="required" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="excludedChars" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="case" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AlphabetType {
+
+    protected String requiredChars;
+    protected String excludedChars;
+    protected String _case;
+
+    /**
+     * Gets the value of the requiredChars property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getRequiredChars() {
+        return requiredChars;
+    }
+
+    /**
+     * Sets the value of the requiredChars property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setRequiredChars(String value) {
+        this.requiredChars = value;
+    }
+
+    /**
+     * Gets the value of the excludedChars property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getExcludedChars() {
+        return excludedChars;
+    }
+
+    /**
+     * Sets the value of the excludedChars property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setExcludedChars(String value) {
+        this.excludedChars = value;
+    }
+
+    /**
+     * Gets the value of the case property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getCase() {
+        return _case;
+    }
+
+    /**
+     * Sets the value of the case property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setCase(String value) {
+        this._case = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthenticatorBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthenticatorBaseType.java
new file mode 100755
index 0000000000..91e8866758
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthenticatorBaseType.java
@@ -0,0 +1,44 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for AuthenticatorBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthenticatorBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthenticatorBaseType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Password"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}SubscriberLineNumber"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}UserSuffix"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthenticatorBaseType extends OriginalAuthenticatorBaseType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthenticatorTransportProtocolType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthenticatorTransportProtocolType.java
new file mode 100755
index 0000000000..30dd33a75e
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthenticatorTransportProtocolType.java
@@ -0,0 +1,48 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for AuthenticatorTransportProtocolType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthenticatorTransportProtocolType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthenticatorTransportProtocolType">
+ *       &lt;sequence>
+ *         &lt;choice>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}PSTN"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ISDN"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ADSL"/>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthenticatorTransportProtocolType extends OriginalAuthenticatorTransportProtocolType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthnContextDeclarationBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthnContextDeclarationBaseType.java
new file mode 100755
index 0000000000..5987eecd0d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthnContextDeclarationBaseType.java
@@ -0,0 +1,53 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for AuthnContextDeclarationBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnContextDeclarationBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthnContextDeclarationBaseType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Identification"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}TechnicalProtection"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}OperationalProtection"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthnMethod"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}GoverningAgreements"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ID" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthnContextDeclarationBaseType extends OriginalAuthnContextDeclarationBaseType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthnMethodBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthnMethodBaseType.java
new file mode 100755
index 0000000000..6b22bb19e5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/AuthnMethodBaseType.java
@@ -0,0 +1,47 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for AuthnMethodBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnMethodBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthnMethodBaseType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}PrincipalAuthenticationMechanism"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Authenticator"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthenticatorTransportProtocol"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthnMethodBaseType extends OriginalAuthnMethodBaseType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ComplexAuthenticatorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ComplexAuthenticatorType.java
new file mode 100755
index 0000000000..73849bb0aa
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ComplexAuthenticatorType.java
@@ -0,0 +1,43 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for ComplexAuthenticatorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ComplexAuthenticatorType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;group ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthenticatorChoiceGroup"/>
+ *         &lt;group ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthenticatorSequenceGroup"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ComplexAuthenticatorType extends ObjectListType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/DeviceTypeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/DeviceTypeType.java
new file mode 100755
index 0000000000..a65d7d399a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/DeviceTypeType.java
@@ -0,0 +1,60 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for DeviceTypeType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="DeviceTypeType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *     &lt;enumeration value="hardware"/>
+ *     &lt;enumeration value="software"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+public enum DeviceTypeType {
+
+    HARDWARE("hardware"), SOFTWARE("software");
+    private final String value;
+
+    DeviceTypeType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static DeviceTypeType fromValue(String v) {
+        for (DeviceTypeType c : DeviceTypeType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionListType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionListType.java
new file mode 100755
index 0000000000..239f660269
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionListType.java
@@ -0,0 +1,46 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.ac.classes;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * A type that contains a list of ExtensionType
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Feb 3, 2011
+ */
+public class ExtensionListType {
+
+    protected List<ExtensionType> content = new ArrayList<ExtensionType>();
+
+    public void add(ExtensionType obj) {
+        this.content.add(obj);
+    }
+
+    public void remove(ExtensionType obj) {
+        this.content.remove(obj);
+    }
+
+    public List<ExtensionType> getContent() {
+
+        return Collections.unmodifiableList(this.content);
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionOnlyType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionOnlyType.java
new file mode 100755
index 0000000000..a590c01a04
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionOnlyType.java
@@ -0,0 +1,43 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for ExtensionOnlyType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ExtensionOnlyType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ExtensionOnlyType extends ExtensionListType {
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionType.java
new file mode 100755
index 0000000000..9d64dcbc84
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ExtensionType.java
@@ -0,0 +1,42 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for ExtensionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ExtensionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ExtensionType extends ObjectListType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/Generation.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/Generation.java
new file mode 100755
index 0000000000..c5af9bcd81
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/Generation.java
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for anonymous complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType>
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="mechanism" use="required">
+ *         &lt;simpleType>
+ *           &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *             &lt;enumeration value="principalchosen"/>
+ *             &lt;enumeration value="automatic"/>
+ *           &lt;/restriction>
+ *         &lt;/simpleType>
+ *       &lt;/attribute>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class Generation {
+
+    protected String mechanism;
+
+    /**
+     * Gets the value of the mechanism property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getMechanism() {
+        return mechanism;
+    }
+
+    /**
+     * Sets the value of the mechanism property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMechanism(String value) {
+        this.mechanism = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/GoverningAgreementRefType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/GoverningAgreementRefType.java
new file mode 100755
index 0000000000..0f18438eb7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/GoverningAgreementRefType.java
@@ -0,0 +1,60 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for GoverningAgreementRefType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="GoverningAgreementRefType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="governingAgreementRef" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class GoverningAgreementRefType {
+
+    protected String governingAgreementRef;
+
+    /**
+     * Gets the value of the governingAgreementRef property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getGoverningAgreementRef() {
+        return governingAgreementRef;
+    }
+
+    /**
+     * Sets the value of the governingAgreementRef property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setGoverningAgreementRef(String value) {
+        this.governingAgreementRef = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/GoverningAgreementsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/GoverningAgreementsType.java
new file mode 100755
index 0000000000..51cbc00dd4
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/GoverningAgreementsType.java
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for GoverningAgreementsType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="GoverningAgreementsType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}GoverningAgreementRef"
+ * maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class GoverningAgreementsType {
+
+    protected List<GoverningAgreementRefType> governingAgreementRef = new ArrayList<GoverningAgreementRefType>();
+
+    public void add(GoverningAgreementRefType gov) {
+        this.governingAgreementRef.add(gov);
+    }
+
+    public void remove(GoverningAgreementRefType gov) {
+        this.governingAgreementRef.remove(gov);
+    }
+
+    /**
+     * Gets the value of the governingAgreementRef property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link GoverningAgreementRefType }
+     */
+    public List<GoverningAgreementRefType> getGoverningAgreementRef() {
+        return Collections.unmodifiableList(this.governingAgreementRef);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/IdentificationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/IdentificationType.java
new file mode 100755
index 0000000000..62de9ec8bb
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/IdentificationType.java
@@ -0,0 +1,127 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for IdentificationType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="IdentificationType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}PhysicalVerification"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}WrittenConsent"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}GoverningAgreements"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="nym" type="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}nymType" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class IdentificationType extends ExtensionListType {
+
+    protected PhysicalVerification physicalVerification;
+    protected ExtensionOnlyType writtenConsent;
+    protected GoverningAgreementsType governingAgreements;
+    protected NymType nym;
+
+    /**
+     * Gets the value of the physicalVerification property.
+     *
+     * @return possible object is {@link PhysicalVerification }
+     */
+    public PhysicalVerification getPhysicalVerification() {
+        return physicalVerification;
+    }
+
+    /**
+     * Sets the value of the physicalVerification property.
+     *
+     * @param value allowed object is {@link PhysicalVerification }
+     */
+    public void setPhysicalVerification(PhysicalVerification value) {
+        this.physicalVerification = value;
+    }
+
+    /**
+     * Gets the value of the writtenConsent property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getWrittenConsent() {
+        return writtenConsent;
+    }
+
+    /**
+     * Sets the value of the writtenConsent property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setWrittenConsent(ExtensionOnlyType value) {
+        this.writtenConsent = value;
+    }
+
+    /**
+     * Gets the value of the governingAgreements property.
+     *
+     * @return possible object is {@link GoverningAgreementsType }
+     */
+    public GoverningAgreementsType getGoverningAgreements() {
+        return governingAgreements;
+    }
+
+    /**
+     * Sets the value of the governingAgreements property.
+     *
+     * @param value allowed object is {@link GoverningAgreementsType }
+     */
+    public void setGoverningAgreements(GoverningAgreementsType value) {
+        this.governingAgreements = value;
+    }
+
+    /**
+     * Gets the value of the nym property.
+     *
+     * @return possible object is {@link NymType }
+     */
+    public NymType getNym() {
+        return nym;
+    }
+
+    /**
+     * Sets the value of the nym property.
+     *
+     * @param value allowed object is {@link NymType }
+     */
+    public void setNym(NymType value) {
+        this.nym = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeyActivationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeyActivationType.java
new file mode 100755
index 0000000000..0fd07767d2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeyActivationType.java
@@ -0,0 +1,65 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for KeyActivationType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeyActivationType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ActivationPin"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class KeyActivationType extends ExtensionListType {
+
+    protected ActivationPinType activationPin;
+
+    /**
+     * Gets the value of the activationPin property.
+     *
+     * @return possible object is {@link ActivationPinType }
+     */
+    public ActivationPinType getActivationPin() {
+        return activationPin;
+    }
+
+    /**
+     * Sets the value of the activationPin property.
+     *
+     * @param value allowed object is {@link ActivationPinType }
+     */
+    public void setActivationPin(ActivationPinType value) {
+        this.activationPin = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeySharingType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeySharingType.java
new file mode 100755
index 0000000000..9e2485a51b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeySharingType.java
@@ -0,0 +1,56 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for KeySharingType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeySharingType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="sharing" use="required" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class KeySharingType {
+
+    protected boolean sharing;
+
+    /**
+     * Gets the value of the sharing property.
+     */
+    public boolean isSharing() {
+        return sharing;
+    }
+
+    /**
+     * Sets the value of the sharing property.
+     */
+    public void setSharing(boolean value) {
+        this.sharing = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeyStorageType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeyStorageType.java
new file mode 100755
index 0000000000..f7c20465e0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/KeyStorageType.java
@@ -0,0 +1,61 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for KeyStorageType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeyStorageType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="medium" use="required" type="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}mediumType"
+ * />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class KeyStorageType {
+
+    protected MediumType medium;
+
+    /**
+     * Gets the value of the medium property.
+     *
+     * @return possible object is {@link MediumType }
+     */
+    public MediumType getMedium() {
+        return medium;
+    }
+
+    /**
+     * Sets the value of the medium property.
+     *
+     * @param value allowed object is {@link MediumType }
+     */
+    public void setMedium(MediumType value) {
+        this.medium = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/LengthType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/LengthType.java
new file mode 100755
index 0000000000..0858fc420d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/LengthType.java
@@ -0,0 +1,82 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+import java.math.BigInteger;
+
+/**
+ * <p>
+ * Java class for LengthType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="LengthType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="min" use="required" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *       &lt;attribute name="max" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class LengthType {
+
+    protected BigInteger min;
+    protected BigInteger max;
+
+    /**
+     * Gets the value of the min property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getMin() {
+        return min;
+    }
+
+    /**
+     * Sets the value of the min property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setMin(BigInteger value) {
+        this.min = value;
+    }
+
+    /**
+     * Gets the value of the max property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getMax() {
+        return max;
+    }
+
+    /**
+     * Sets the value of the max property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setMax(BigInteger value) {
+        this.max = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/MediumType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/MediumType.java
new file mode 100755
index 0000000000..c56459d6c1
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/MediumType.java
@@ -0,0 +1,63 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for mediumType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="mediumType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *     &lt;enumeration value="memory"/>
+ *     &lt;enumeration value="smartcard"/>
+ *     &lt;enumeration value="token"/>
+ *     &lt;enumeration value="MobileDevice"/>
+ *     &lt;enumeration value="MobileAuthCard"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+public enum MediumType {
+
+    MEMORY("memory"), SMARTCARD("smartcard"), TOKEN("token"), MOBILE_DEVICE("MobileDevice"), MOBILE_AUTH_CARD("MobileAuthCard");
+    private final String value;
+
+    MediumType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static MediumType fromValue(String v) {
+        for (MediumType c : MediumType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/NymType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/NymType.java
new file mode 100755
index 0000000000..c681364346
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/NymType.java
@@ -0,0 +1,61 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for nymType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="nymType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *     &lt;enumeration value="anonymity"/>
+ *     &lt;enumeration value="verinymity"/>
+ *     &lt;enumeration value="pseudonymity"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+public enum NymType {
+
+    ANONYMITY("anonymity"), VERINYMITY("verinymity"), PSEUDONYMITY("pseudonymity");
+    private final String value;
+
+    NymType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static NymType fromValue(String v) {
+        for (NymType c : NymType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ObjectListType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ObjectListType.java
new file mode 100755
index 0000000000..accc550170
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/ObjectListType.java
@@ -0,0 +1,46 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.ac.classes;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * A type that contains a list of objects
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Feb 3, 2011
+ */
+public class ObjectListType {
+
+    protected List<Object> content = new ArrayList<Object>();
+
+    public void add(Object obj) {
+        this.content.add(obj);
+    }
+
+    public void remove(Object obj) {
+        this.content.remove(obj);
+    }
+
+    public List<Object> getContent() {
+
+        return Collections.unmodifiableList(this.content);
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OperationalProtectionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OperationalProtectionType.java
new file mode 100755
index 0000000000..b5e6e49a01
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OperationalProtectionType.java
@@ -0,0 +1,85 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for OperationalProtectionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="OperationalProtectionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}SecurityAudit"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}DeactivationCallCenter"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class OperationalProtectionType extends ExtensionListType {
+
+    protected SecurityAuditType securityAudit;
+    protected ExtensionOnlyType deactivationCallCenter;
+
+    /**
+     * Gets the value of the securityAudit property.
+     *
+     * @return possible object is {@link SecurityAuditType }
+     */
+    public SecurityAuditType getSecurityAudit() {
+        return securityAudit;
+    }
+
+    /**
+     * Sets the value of the securityAudit property.
+     *
+     * @param value allowed object is {@link SecurityAuditType }
+     */
+    public void setSecurityAudit(SecurityAuditType value) {
+        this.securityAudit = value;
+    }
+
+    /**
+     * Gets the value of the deactivationCallCenter property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getDeactivationCallCenter() {
+        return deactivationCallCenter;
+    }
+
+    /**
+     * Sets the value of the deactivationCallCenter property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setDeactivationCallCenter(ExtensionOnlyType value) {
+        this.deactivationCallCenter = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthenticatorBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthenticatorBaseType.java
new file mode 100755
index 0000000000..61c658262e
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthenticatorBaseType.java
@@ -0,0 +1,43 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for AuthenticatorBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthenticatorBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;group ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthenticatorChoiceGroup"/>
+ *         &lt;group ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthenticatorSequenceGroup"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class OriginalAuthenticatorBaseType extends ObjectListType {
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthenticatorTransportProtocolType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthenticatorTransportProtocolType.java
new file mode 100755
index 0000000000..86d637b4d8
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthenticatorTransportProtocolType.java
@@ -0,0 +1,246 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for AuthenticatorTransportProtocolType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthenticatorTransportProtocolType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;choice minOccurs="0">
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}HTTP"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}SSL"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}MobileNetworkNoEncryption"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}MobileNetworkRadioEncryption"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}MobileNetworkEndToEndEncryption"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}WTLS"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}IPSec"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}PSTN"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ISDN"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ADSL"/>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class OriginalAuthenticatorTransportProtocolType extends ExtensionListType {
+
+    protected ExtensionOnlyType http;
+    protected ExtensionOnlyType ssl;
+    protected ExtensionOnlyType mobileNetworkNoEncryption;
+    protected ExtensionOnlyType mobileNetworkRadioEncryption;
+    protected ExtensionOnlyType mobileNetworkEndToEndEncryption;
+    protected ExtensionOnlyType wtls;
+    protected ExtensionOnlyType ipSec;
+    protected ExtensionOnlyType pstn;
+    protected ExtensionOnlyType isdn;
+    protected ExtensionOnlyType adsl;
+
+    /**
+     * Gets the value of the http property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getHTTP() {
+        return http;
+    }
+
+    /**
+     * Sets the value of the http property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setHTTP(ExtensionOnlyType value) {
+        this.http = value;
+    }
+
+    /**
+     * Gets the value of the ssl property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getSSL() {
+        return ssl;
+    }
+
+    /**
+     * Sets the value of the ssl property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setSSL(ExtensionOnlyType value) {
+        this.ssl = value;
+    }
+
+    /**
+     * Gets the value of the mobileNetworkNoEncryption property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getMobileNetworkNoEncryption() {
+        return mobileNetworkNoEncryption;
+    }
+
+    /**
+     * Sets the value of the mobileNetworkNoEncryption property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setMobileNetworkNoEncryption(ExtensionOnlyType value) {
+        this.mobileNetworkNoEncryption = value;
+    }
+
+    /**
+     * Gets the value of the mobileNetworkRadioEncryption property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getMobileNetworkRadioEncryption() {
+        return mobileNetworkRadioEncryption;
+    }
+
+    /**
+     * Sets the value of the mobileNetworkRadioEncryption property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setMobileNetworkRadioEncryption(ExtensionOnlyType value) {
+        this.mobileNetworkRadioEncryption = value;
+    }
+
+    /**
+     * Gets the value of the mobileNetworkEndToEndEncryption property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getMobileNetworkEndToEndEncryption() {
+        return mobileNetworkEndToEndEncryption;
+    }
+
+    /**
+     * Sets the value of the mobileNetworkEndToEndEncryption property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setMobileNetworkEndToEndEncryption(ExtensionOnlyType value) {
+        this.mobileNetworkEndToEndEncryption = value;
+    }
+
+    /**
+     * Gets the value of the wtls property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getWTLS() {
+        return wtls;
+    }
+
+    /**
+     * Sets the value of the wtls property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setWTLS(ExtensionOnlyType value) {
+        this.wtls = value;
+    }
+
+    /**
+     * Gets the value of the ipSec property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getIPSec() {
+        return ipSec;
+    }
+
+    /**
+     * Sets the value of the ipSec property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setIPSec(ExtensionOnlyType value) {
+        this.ipSec = value;
+    }
+
+    /**
+     * Gets the value of the pstn property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getPSTN() {
+        return pstn;
+    }
+
+    /**
+     * Sets the value of the pstn property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setPSTN(ExtensionOnlyType value) {
+        this.pstn = value;
+    }
+
+    /**
+     * Gets the value of the isdn property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getISDN() {
+        return isdn;
+    }
+
+    /**
+     * Sets the value of the isdn property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setISDN(ExtensionOnlyType value) {
+        this.isdn = value;
+    }
+
+    /**
+     * Gets the value of the adsl property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getADSL() {
+        return adsl;
+    }
+
+    /**
+     * Sets the value of the adsl property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setADSL(ExtensionOnlyType value) {
+        this.adsl = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthnContextDeclarationBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthnContextDeclarationBaseType.java
new file mode 100755
index 0000000000..102d1355a9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthnContextDeclarationBaseType.java
@@ -0,0 +1,168 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for AuthnContextDeclarationBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnContextDeclarationBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Identification"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}TechnicalProtection"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}OperationalProtection"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthnMethod" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}GoverningAgreements"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ID" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class OriginalAuthnContextDeclarationBaseType extends ExtensionListType {
+
+    protected IdentificationType identification;
+    protected TechnicalProtectionBaseType technicalProtection;
+    protected OperationalProtectionType operationalProtection;
+    protected AuthnMethodBaseType authnMethod;
+    protected GoverningAgreementsType governingAgreements;
+    protected String id;
+
+    /**
+     * Gets the value of the identification property.
+     *
+     * @return possible object is {@link IdentificationType }
+     */
+    public IdentificationType getIdentification() {
+        return identification;
+    }
+
+    /**
+     * Sets the value of the identification property.
+     *
+     * @param value allowed object is {@link IdentificationType }
+     */
+    public void setIdentification(IdentificationType value) {
+        this.identification = value;
+    }
+
+    /**
+     * Gets the value of the technicalProtection property.
+     *
+     * @return possible object is {@link TechnicalProtectionBaseType }
+     */
+    public TechnicalProtectionBaseType getTechnicalProtection() {
+        return technicalProtection;
+    }
+
+    /**
+     * Sets the value of the technicalProtection property.
+     *
+     * @param value allowed object is {@link TechnicalProtectionBaseType }
+     */
+    public void setTechnicalProtection(TechnicalProtectionBaseType value) {
+        this.technicalProtection = value;
+    }
+
+    /**
+     * Gets the value of the operationalProtection property.
+     *
+     * @return possible object is {@link OperationalProtectionType }
+     */
+    public OperationalProtectionType getOperationalProtection() {
+        return operationalProtection;
+    }
+
+    /**
+     * Sets the value of the operationalProtection property.
+     *
+     * @param value allowed object is {@link OperationalProtectionType }
+     */
+    public void setOperationalProtection(OperationalProtectionType value) {
+        this.operationalProtection = value;
+    }
+
+    /**
+     * Gets the value of the authnMethod property.
+     *
+     * @return possible object is {@link AuthnMethodBaseType }
+     */
+    public AuthnMethodBaseType getAuthnMethod() {
+        return authnMethod;
+    }
+
+    /**
+     * Sets the value of the authnMethod property.
+     *
+     * @param value allowed object is {@link AuthnMethodBaseType }
+     */
+    public void setAuthnMethod(AuthnMethodBaseType value) {
+        this.authnMethod = value;
+    }
+
+    /**
+     * Gets the value of the governingAgreements property.
+     *
+     * @return possible object is {@link GoverningAgreementsType }
+     */
+    public GoverningAgreementsType getGoverningAgreements() {
+        return governingAgreements;
+    }
+
+    /**
+     * Sets the value of the governingAgreements property.
+     *
+     * @param value allowed object is {@link GoverningAgreementsType }
+     */
+    public void setGoverningAgreements(GoverningAgreementsType value) {
+        this.governingAgreements = value;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getID() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setID(String value) {
+        this.id = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthnMethodBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthnMethodBaseType.java
new file mode 100755
index 0000000000..77e4c4360d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/OriginalAuthnMethodBaseType.java
@@ -0,0 +1,107 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for AuthnMethodBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnMethodBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}PrincipalAuthenticationMechanism"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Authenticator"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}AuthenticatorTransportProtocol"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class OriginalAuthnMethodBaseType extends ExtensionListType {
+
+    protected PrincipalAuthenticationMechanismType principalAuthenticationMechanism;
+    protected AuthenticatorBaseType authenticator;
+    protected AuthenticatorTransportProtocolType authenticatorTransportProtocol;
+
+    /**
+     * Gets the value of the principalAuthenticationMechanism property.
+     *
+     * @return possible object is {@link PrincipalAuthenticationMechanismType }
+     */
+    public PrincipalAuthenticationMechanismType getPrincipalAuthenticationMechanism() {
+        return principalAuthenticationMechanism;
+    }
+
+    /**
+     * Sets the value of the principalAuthenticationMechanism property.
+     *
+     * @param value allowed object is {@link PrincipalAuthenticationMechanismType }
+     */
+    public void setPrincipalAuthenticationMechanism(PrincipalAuthenticationMechanismType value) {
+        this.principalAuthenticationMechanism = value;
+    }
+
+    /**
+     * Gets the value of the authenticator property.
+     *
+     * @return possible object is {@link AuthenticatorBaseType }
+     */
+    public AuthenticatorBaseType getAuthenticator() {
+        return authenticator;
+    }
+
+    /**
+     * Sets the value of the authenticator property.
+     *
+     * @param value allowed object is {@link AuthenticatorBaseType }
+     */
+    public void setAuthenticator(AuthenticatorBaseType value) {
+        this.authenticator = value;
+    }
+
+    /**
+     * Gets the value of the authenticatorTransportProtocol property.
+     *
+     * @return possible object is {@link AuthenticatorTransportProtocolType }
+     */
+    public AuthenticatorTransportProtocolType getAuthenticatorTransportProtocol() {
+        return authenticatorTransportProtocol;
+    }
+
+    /**
+     * Sets the value of the authenticatorTransportProtocol property.
+     *
+     * @param value allowed object is {@link AuthenticatorTransportProtocolType }
+     */
+    public void setAuthenticatorTransportProtocol(AuthenticatorTransportProtocolType value) {
+        this.authenticatorTransportProtocol = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PasswordType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PasswordType.java
new file mode 100755
index 0000000000..1362b764e2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PasswordType.java
@@ -0,0 +1,124 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for PasswordType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PasswordType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Length" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Alphabet" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Generation" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ExternalVerification" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class PasswordType extends ExtensionListType {
+
+    protected LengthType length;
+    protected AlphabetType alphabet;
+    protected Generation generation;
+    protected String externalVerification;
+
+    /**
+     * Gets the value of the length property.
+     *
+     * @return possible object is {@link LengthType }
+     */
+    public LengthType getLength() {
+        return length;
+    }
+
+    /**
+     * Sets the value of the length property.
+     *
+     * @param value allowed object is {@link LengthType }
+     */
+    public void setLength(LengthType value) {
+        this.length = value;
+    }
+
+    /**
+     * Gets the value of the alphabet property.
+     *
+     * @return possible object is {@link AlphabetType }
+     */
+    public AlphabetType getAlphabet() {
+        return alphabet;
+    }
+
+    /**
+     * Sets the value of the alphabet property.
+     *
+     * @param value allowed object is {@link AlphabetType }
+     */
+    public void setAlphabet(AlphabetType value) {
+        this.alphabet = value;
+    }
+
+    /**
+     * Gets the value of the generation property.
+     *
+     * @return possible object is {@link Generation }
+     */
+    public Generation getGeneration() {
+        return generation;
+    }
+
+    /**
+     * Sets the value of the generation property.
+     *
+     * @param value allowed object is {@link Generation }
+     */
+    public void setGeneration(Generation value) {
+        this.generation = value;
+    }
+
+    /**
+     * Gets the value of the externalVerification property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getExternalVerification() {
+        return externalVerification;
+    }
+
+    /**
+     * Sets the value of the externalVerification property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setExternalVerification(String value) {
+        this.externalVerification = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PhysicalVerification.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PhysicalVerification.java
new file mode 100755
index 0000000000..2edb1d82e1
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PhysicalVerification.java
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for anonymous complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType>
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="credentialLevel">
+ *         &lt;simpleType>
+ *           &lt;restriction base="{http://www.w3.org/2001/XMLSchema}NMTOKEN">
+ *             &lt;enumeration value="primary"/>
+ *             &lt;enumeration value="secondary"/>
+ *           &lt;/restriction>
+ *         &lt;/simpleType>
+ *       &lt;/attribute>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class PhysicalVerification {
+
+    protected String credentialLevel;
+
+    /**
+     * Gets the value of the credentialLevel property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getCredentialLevel() {
+        return credentialLevel;
+    }
+
+    /**
+     * Sets the value of the credentialLevel property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setCredentialLevel(String value) {
+        this.credentialLevel = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PrincipalAuthenticationMechanismType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PrincipalAuthenticationMechanismType.java
new file mode 100755
index 0000000000..8c8775ec21
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PrincipalAuthenticationMechanismType.java
@@ -0,0 +1,168 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+import java.math.BigInteger;
+
+/**
+ * <p>
+ * Java class for PrincipalAuthenticationMechanismType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PrincipalAuthenticationMechanismType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Password" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}RestrictedPassword"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Token" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Smartcard" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}ActivationPin"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="preauth" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class PrincipalAuthenticationMechanismType extends ExtensionListType {
+
+    protected PasswordType password;
+    protected RestrictedPasswordType restrictedPassword;
+    protected TokenType token;
+    protected ExtensionOnlyType smartcard;
+    protected ActivationPinType activationPin;
+    protected BigInteger preauth;
+
+    /**
+     * Gets the value of the password property.
+     *
+     * @return possible object is {@link PasswordType }
+     */
+    public PasswordType getPassword() {
+        return password;
+    }
+
+    /**
+     * Sets the value of the password property.
+     *
+     * @param value allowed object is {@link PasswordType }
+     */
+    public void setPassword(PasswordType value) {
+        this.password = value;
+    }
+
+    /**
+     * Gets the value of the restrictedPassword property.
+     *
+     * @return possible object is {@link RestrictedPasswordType }
+     */
+    public RestrictedPasswordType getRestrictedPassword() {
+        return restrictedPassword;
+    }
+
+    /**
+     * Sets the value of the restrictedPassword property.
+     *
+     * @param value allowed object is {@link RestrictedPasswordType }
+     */
+    public void setRestrictedPassword(RestrictedPasswordType value) {
+        this.restrictedPassword = value;
+    }
+
+    /**
+     * Gets the value of the token property.
+     *
+     * @return possible object is {@link TokenType }
+     */
+    public TokenType getToken() {
+        return token;
+    }
+
+    /**
+     * Sets the value of the token property.
+     *
+     * @param value allowed object is {@link TokenType }
+     */
+    public void setToken(TokenType value) {
+        this.token = value;
+    }
+
+    /**
+     * Gets the value of the smartcard property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getSmartcard() {
+        return smartcard;
+    }
+
+    /**
+     * Sets the value of the smartcard property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setSmartcard(ExtensionOnlyType value) {
+        this.smartcard = value;
+    }
+
+    /**
+     * Gets the value of the activationPin property.
+     *
+     * @return possible object is {@link ActivationPinType }
+     */
+    public ActivationPinType getActivationPin() {
+        return activationPin;
+    }
+
+    /**
+     * Sets the value of the activationPin property.
+     *
+     * @param value allowed object is {@link ActivationPinType }
+     */
+    public void setActivationPin(ActivationPinType value) {
+        this.activationPin = value;
+    }
+
+    /**
+     * Gets the value of the preauth property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getPreauth() {
+        return preauth;
+    }
+
+    /**
+     * Sets the value of the preauth property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setPreauth(BigInteger value) {
+        this.preauth = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PrivateKeyProtectionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PrivateKeyProtectionType.java
new file mode 100755
index 0000000000..640e49173a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PrivateKeyProtectionType.java
@@ -0,0 +1,104 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for PrivateKeyProtectionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PrivateKeyProtectionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}KeyActivation"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}KeyStorage" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}KeySharing" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class PrivateKeyProtectionType extends ExtensionListType {
+
+    protected KeyActivationType keyActivation;
+    protected KeyStorageType keyStorage;
+    protected KeySharingType keySharing;
+
+    /**
+     * Gets the value of the keyActivation property.
+     *
+     * @return possible object is {@link KeyActivationType }
+     */
+    public KeyActivationType getKeyActivation() {
+        return keyActivation;
+    }
+
+    /**
+     * Sets the value of the keyActivation property.
+     *
+     * @param value allowed object is {@link KeyActivationType }
+     */
+    public void setKeyActivation(KeyActivationType value) {
+        this.keyActivation = value;
+    }
+
+    /**
+     * Gets the value of the keyStorage property.
+     *
+     * @return possible object is {@link KeyStorageType }
+     */
+    public KeyStorageType getKeyStorage() {
+        return keyStorage;
+    }
+
+    /**
+     * Sets the value of the keyStorage property.
+     *
+     * @param value allowed object is {@link KeyStorageType }
+     */
+    public void setKeyStorage(KeyStorageType value) {
+        this.keyStorage = value;
+    }
+
+    /**
+     * Gets the value of the keySharing property.
+     *
+     * @return possible object is {@link KeySharingType }
+     */
+    public KeySharingType getKeySharing() {
+        return keySharing;
+    }
+
+    /**
+     * Sets the value of the keySharing property.
+     *
+     * @param value allowed object is {@link KeySharingType }
+     */
+    public void setKeySharing(KeySharingType value) {
+        this.keySharing = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PublicKeyType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PublicKeyType.java
new file mode 100755
index 0000000000..887f658a3f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/PublicKeyType.java
@@ -0,0 +1,63 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for PublicKeyType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PublicKeyType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="keyValidation" type="{http://www.w3.org/2001/XMLSchema}anySimpleType" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class PublicKeyType extends ExtensionListType {
+
+    protected String keyValidation;
+
+    /**
+     * Gets the value of the keyValidation property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getKeyValidation() {
+        return keyValidation;
+    }
+
+    /**
+     * Sets the value of the keyValidation property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setKeyValidation(String value) {
+        this.keyValidation = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/RestrictedLengthType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/RestrictedLengthType.java
new file mode 100755
index 0000000000..9c66c89cd3
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/RestrictedLengthType.java
@@ -0,0 +1,47 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for RestrictedLengthType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RestrictedLengthType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}LengthType">
+ *       &lt;attribute name="min" use="required">
+ *         &lt;simpleType>
+ *           &lt;restriction base="{http://www.w3.org/2001/XMLSchema}integer">
+ *             &lt;minInclusive value="3"/>
+ *           &lt;/restriction>
+ *         &lt;/simpleType>
+ *       &lt;/attribute>
+ *       &lt;attribute name="max" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class RestrictedLengthType extends LengthType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/RestrictedPasswordType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/RestrictedPasswordType.java
new file mode 100755
index 0000000000..8bfd978681
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/RestrictedPasswordType.java
@@ -0,0 +1,46 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for RestrictedPasswordType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RestrictedPasswordType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}PasswordType">
+ *       &lt;sequence>
+ *         &lt;element name="Length" type="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}RestrictedLengthType"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Generation" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ExternalVerification" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class RestrictedPasswordType extends PasswordType {
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SecretKeyProtectionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SecretKeyProtectionType.java
new file mode 100755
index 0000000000..d4451160cd
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SecretKeyProtectionType.java
@@ -0,0 +1,84 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for SecretKeyProtectionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SecretKeyProtectionType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}KeyActivation"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}KeyStorage" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SecretKeyProtectionType extends ExtensionListType {
+
+    protected KeyActivationType keyActivation;
+    protected KeyStorageType keyStorage;
+
+    /**
+     * Gets the value of the keyActivation property.
+     *
+     * @return possible object is {@link KeyActivationType }
+     */
+    public KeyActivationType getKeyActivation() {
+        return keyActivation;
+    }
+
+    /**
+     * Sets the value of the keyActivation property.
+     *
+     * @param value allowed object is {@link KeyActivationType }
+     */
+    public void setKeyActivation(KeyActivationType value) {
+        this.keyActivation = value;
+    }
+
+    /**
+     * Gets the value of the keyStorage property.
+     *
+     * @return possible object is {@link KeyStorageType }
+     */
+    public KeyStorageType getKeyStorage() {
+        return keyStorage;
+    }
+
+    /**
+     * Sets the value of the keyStorage property.
+     *
+     * @param value allowed object is {@link KeyStorageType }
+     */
+    public void setKeyStorage(KeyStorageType value) {
+        this.keyStorage = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SecurityAuditType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SecurityAuditType.java
new file mode 100755
index 0000000000..1db7415adc
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SecurityAuditType.java
@@ -0,0 +1,63 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for SecurityAuditType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SecurityAuditType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}SwitchAudit" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SecurityAuditType extends ExtensionListType {
+
+    protected ExtensionOnlyType switchAudit;
+
+    /**
+     * Gets the value of the switchAudit property.
+     *
+     * @return possible object is {@link ExtensionOnlyType }
+     */
+    public ExtensionOnlyType getSwitchAudit() {
+        return switchAudit;
+    }
+
+    /**
+     * Sets the value of the switchAudit property.
+     *
+     * @param value allowed object is {@link ExtensionOnlyType }
+     */
+    public void setSwitchAudit(ExtensionOnlyType value) {
+        this.switchAudit = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SharedSecretChallengeResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SharedSecretChallengeResponseType.java
new file mode 100755
index 0000000000..699041aa1b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/SharedSecretChallengeResponseType.java
@@ -0,0 +1,69 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * This element indicates that the Principal has been authenticated by a challenge-response protocol utilizing shared
+ * secret
+ * keys and symmetric cryptography.
+ *
+ *
+ * <p>
+ * Java class for SharedSecretChallengeResponseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SharedSecretChallengeResponseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="method" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SharedSecretChallengeResponseType extends ExtensionListType {
+
+    protected String method;
+
+    /**
+     * Gets the value of the method property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getMethod() {
+        return method;
+    }
+
+    /**
+     * Sets the value of the method property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMethod(String value) {
+        this.method = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TechnicalProtectionBaseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TechnicalProtectionBaseType.java
new file mode 100755
index 0000000000..e699dcc37b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TechnicalProtectionBaseType.java
@@ -0,0 +1,85 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for TechnicalProtectionBaseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TechnicalProtectionBaseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;choice minOccurs="0">
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}PrivateKeyProtection"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}SecretKeyProtection"/>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class TechnicalProtectionBaseType extends ExtensionListType {
+
+    protected PrivateKeyProtectionType privateKeyProtection;
+    protected SecretKeyProtectionType secretKeyProtection;
+
+    /**
+     * Gets the value of the privateKeyProtection property.
+     *
+     * @return possible object is {@link PrivateKeyProtectionType }
+     */
+    public PrivateKeyProtectionType getPrivateKeyProtection() {
+        return privateKeyProtection;
+    }
+
+    /**
+     * Sets the value of the privateKeyProtection property.
+     *
+     * @param value allowed object is {@link PrivateKeyProtectionType }
+     */
+    public void setPrivateKeyProtection(PrivateKeyProtectionType value) {
+        this.privateKeyProtection = value;
+    }
+
+    /**
+     * Gets the value of the secretKeyProtection property.
+     *
+     * @return possible object is {@link SecretKeyProtectionType }
+     */
+    public SecretKeyProtectionType getSecretKeyProtection() {
+        return secretKeyProtection;
+    }
+
+    /**
+     * Sets the value of the secretKeyProtection property.
+     *
+     * @param value allowed object is {@link SecretKeyProtectionType }
+     */
+    public void setSecretKeyProtection(SecretKeyProtectionType value) {
+        this.secretKeyProtection = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TimeSyncTokenType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TimeSyncTokenType.java
new file mode 100755
index 0000000000..141f6160d7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TimeSyncTokenType.java
@@ -0,0 +1,103 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+import java.math.BigInteger;
+
+/**
+ * <p>
+ * Java class for TimeSyncTokenType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TimeSyncTokenType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="DeviceType" use="required" type="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}DeviceTypeType"
+ * />
+ *       &lt;attribute name="SeedLength" use="required" type="{http://www.w3.org/2001/XMLSchema}integer" />
+ *       &lt;attribute name="DeviceInHand" use="required" type="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}booleanType"
+ * />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class TimeSyncTokenType {
+
+    protected DeviceTypeType deviceType;
+    protected BigInteger seedLength;
+    protected Boolean deviceInHand = Boolean.FALSE;
+
+    /**
+     * Gets the value of the deviceType property.
+     *
+     * @return possible object is {@link DeviceTypeType }
+     */
+    public DeviceTypeType getDeviceType() {
+        return deviceType;
+    }
+
+    /**
+     * Sets the value of the deviceType property.
+     *
+     * @param value allowed object is {@link DeviceTypeType }
+     */
+    public void setDeviceType(DeviceTypeType value) {
+        this.deviceType = value;
+    }
+
+    /**
+     * Gets the value of the seedLength property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getSeedLength() {
+        return seedLength;
+    }
+
+    /**
+     * Sets the value of the seedLength property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setSeedLength(BigInteger value) {
+        this.seedLength = value;
+    }
+
+    /**
+     * Gets the value of the deviceInHand property.
+     *
+     * @return possible object is {@link BooleanType }
+     */
+    public Boolean getDeviceInHand() {
+        return deviceInHand;
+    }
+
+    /**
+     * Sets the value of the deviceInHand property.
+     *
+     * @param value allowed object is {@link BooleanType }
+     */
+    public void setDeviceInHand(Boolean value) {
+        this.deviceInHand = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TokenType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TokenType.java
new file mode 100755
index 0000000000..0f30933515
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/TokenType.java
@@ -0,0 +1,64 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
+/**
+ * <p>
+ * Java class for TokenType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TokenType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}TimeSyncToken"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony}Extension"
+ * maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class TokenType extends ExtensionListType {
+
+    protected TimeSyncTokenType timeSyncToken;
+
+    /**
+     * Gets the value of the timeSyncToken property.
+     *
+     * @return possible object is {@link TimeSyncTokenType }
+     */
+    public TimeSyncTokenType getTimeSyncToken() {
+        return timeSyncToken;
+    }
+
+    /**
+     * Sets the value of the timeSyncToken property.
+     *
+     * @param value allowed object is {@link TimeSyncTokenType }
+     */
+    public void setTimeSyncToken(TimeSyncTokenType value) {
+        this.timeSyncToken = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/package-info.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/package-info.java
new file mode 100755
index 0000000000..3a0e202a0f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/classes/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.ac.classes;
+
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/package-info.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/package-info.java
new file mode 100755
index 0000000000..62b1398e3f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/ac/package-info.java
@@ -0,0 +1,27 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//
+// This file was generated by the JavaTM Architecture for XML Binding(JAXB) Reference Implementation, vhudson-jaxb-ri-2.1-661
+// See <a href="http://java.sun.com/xml/jaxb">http://java.sun.com/xml/jaxb</a>
+// Any modifications to this file will be lost upon recompilation of the source schema.
+// Generated on: 2008.12.08 at 05:45:20 PM CST
+//
+
+@javax.xml.bind.annotation.XmlSchema(namespace = "urn:oasis:names:tc:SAML:2.0:ac", elementFormDefault = javax.xml.bind.annotation.XmlNsForm.QUALIFIED) package org.keycloak.dom.saml.v2.ac;
+
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ActionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ActionType.java
new file mode 100755
index 0000000000..c31bf4e096
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ActionType.java
@@ -0,0 +1,42 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import org.keycloak.dom.saml.common.CommonActionType;
+
+/**
+ * <p>
+ * Java class for ActionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ActionType">
+ *   &lt;simpleContent>
+ *     &lt;extension base="&lt;http://www.w3.org/2001/XMLSchema>string">
+ *       &lt;attribute name="Namespace" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/extension>
+ *   &lt;/simpleContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ActionType extends CommonActionType {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AdviceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AdviceType.java
new file mode 100755
index 0000000000..8f9fc2d7ce
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AdviceType.java
@@ -0,0 +1,49 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.assertion;
+
+import org.keycloak.dom.saml.common.CommonAdviceType;
+
+/**
+ * <p>
+ * Java class for AdviceType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AdviceType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice maxOccurs="unbounded" minOccurs="0">
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AssertionIDRef"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AssertionURIRef"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Assertion"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedAssertion"/>
+ *         &lt;any/>
+ *       &lt;/choice>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AdviceType extends CommonAdviceType {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AssertionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AssertionType.java
new file mode 100755
index 0000000000..7cbd35e3dd
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AssertionType.java
@@ -0,0 +1,257 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import org.keycloak.dom.saml.common.CommonAssertionType;
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+/**
+ * <complexType name="AssertionType"> <sequence> <element ref="saml:Issuer"/> <element ref="ds:Signature"
+ * minOccurs="0"/>
+ * <element ref="saml:Subject" minOccurs="0"/> <element ref="saml:Conditions" minOccurs="0"/> <element
+ * ref="saml:Advice"
+ * minOccurs="0"/> <choice minOccurs="0" maxOccurs="unbounded"> <element ref="saml:Statement"/> <element
+ * ref="saml:AuthnStatement"/> <element ref="saml:AuthzDecisionStatement"/> <element ref="saml:AttributeStatement"/>
+ * </choice>
+ * </sequence> <attribute name="Version" type="string" use="required"/> <attribute name="ID" type="ID" use="required"/>
+ * <attribute name="IssueInstant" type="dateTime" use="required"/> </complexType>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 24, 2010
+ */
+public class AssertionType extends CommonAssertionType {
+
+    private static final long serialVersionUID = 1L;
+
+    private Element signature;
+
+    private final String version = "2.0";
+
+    private AdviceType advice;
+
+    private NameIDType issuer;
+
+    private SubjectType subject;
+
+    private ConditionsType conditions;
+
+    private final Set<StatementAbstractType> statements = new LinkedHashSet<StatementAbstractType>();
+
+    /**
+     * Create an assertion
+     *
+     * @param iD ID of the assertion (Required)
+     * @param issueInstant {@link XMLGregorianCalendar} issue instant (required)
+     * @param version
+     */
+    public AssertionType(String iD, XMLGregorianCalendar issueInstant) {
+        super(iD, issueInstant);
+    }
+
+    /**
+     * Get the subject
+     *
+     * @return {@link SubjectType}
+     */
+    public SubjectType getSubject() {
+        checkSTSPermission();
+        return subject;
+    }
+
+    /**
+     * Set the subject
+     *
+     * @param subject
+     */
+    public void setSubject(SubjectType subject) {
+        checkSTSPermission();
+        this.subject = subject;
+    }
+
+    /**
+     * Get the version of SAML
+     *
+     * @return {@link String}
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * Get the advice
+     *
+     * @return {@link AdviceType}
+     */
+    public AdviceType getAdvice() {
+        return advice;
+    }
+
+    /**
+     * Set the advice
+     *
+     * @param advice {@link advice}
+     */
+    public void setAdvice(AdviceType advice) {
+        checkSTSPermission();
+
+        this.advice = advice;
+    }
+
+    /**
+     * Get the conditions
+     *
+     * @return {@link ConditionsType}
+     */
+    public ConditionsType getConditions() {
+        checkSTSPermission();
+
+        return conditions;
+    }
+
+    /**
+     * Set the conditions
+     *
+     * @param conditions {@link ConditionsType}
+     */
+    public void setConditions(ConditionsType conditions) {
+        checkSTSPermission();
+
+        this.conditions = conditions;
+    }
+
+    /**
+     * Get the issuer
+     *
+     * @return {@link NameIDType}
+     */
+    public NameIDType getIssuer() {
+        return issuer;
+    }
+
+    /**
+     * Set the issuer
+     *
+     * @param issuer {@link NameIDType}
+     */
+    public void setIssuer(NameIDType issuer) {
+        checkSTSPermission();
+
+        this.issuer = issuer;
+    }
+
+    /**
+     * Add a statement
+     *
+     * @param statement {@link StatementAbstractType}
+     */
+    public void addStatement(StatementAbstractType statement) {
+        checkSTSPermission();
+
+        this.statements.add(statement);
+    }
+
+    /**
+     * Add a collection of statements
+     *
+     * @param statement {@link Collection}
+     */
+    public void addStatements(Collection<StatementAbstractType> statement) {
+        checkSTSPermission();
+
+        this.statements.addAll(statement);
+    }
+
+    /**
+     * Add a set of statements
+     *
+     * @param statement {@link Collection}
+     */
+    public void addStatements(Set<StatementAbstractType> statement) {
+        checkSTSPermission();
+
+        this.statements.addAll(statement);
+    }
+
+    /**
+     * Get a read only set of statements
+     *
+     * @return {@link Set}
+     */
+    public Set<StatementAbstractType> getStatements() {
+        checkSTSPermission();
+
+        return Collections.unmodifiableSet(statements);
+    }
+
+    /**
+     * Get the signature as a DOM element
+     *
+     * @return {@link Element}
+     */
+    public Element getSignature() {
+        return signature;
+    }
+
+    /**
+     * Set the signature DOM element
+     *
+     * @param signature
+     */
+    public void setSignature(Element signature) {
+        this.signature = signature;
+    }
+
+    public Set<AttributeStatementType> getAttributeStatements() {
+        Set<AttributeStatementType> attributeStatements = new HashSet<AttributeStatementType>();
+        Set<StatementAbstractType> statements = getStatements();
+
+        if (statements != null) {
+            for (StatementAbstractType statement : statements) {
+                if (AttributeStatementType.class.isInstance(statement)) {
+                    attributeStatements.add((AttributeStatementType) statement);
+                }
+            }
+        }
+
+        return attributeStatements;
+    }
+
+    /**
+     * Update the issue instant
+     *
+     * @param xg
+     */
+    public void updateIssueInstant(XMLGregorianCalendar xg) {
+        checkSTSPermission();
+
+        this.issueInstant = xg;
+    }
+
+    protected void checkSTSPermission() {
+        SecurityManager sm = System.getSecurityManager();
+        if (sm != null)
+            sm.checkPermission(new RuntimePermission("org.picketlink.sts"));
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeStatementType.java
new file mode 100755
index 0000000000..9b65f3854a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeStatementType.java
@@ -0,0 +1,106 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AttributeStatementType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AttributeStatementType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:assertion}StatementAbstractType">
+ *       &lt;choice maxOccurs="unbounded">
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Attribute"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedAttribute"/>
+ *       &lt;/choice>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AttributeStatementType extends StatementAbstractType {
+
+    private static final long serialVersionUID = 1L;
+    protected List<ASTChoiceType> attributes = new ArrayList<ASTChoiceType>();
+
+    /**
+     * Add an attribute
+     *
+     * @param attribute
+     */
+    public void addAttribute(ASTChoiceType attribute) {
+        attributes.add(attribute);
+    }
+
+    /**
+     * Remove an attribute
+     *
+     * @param attribute
+     */
+    public void removeAttribute(ASTChoiceType attribute) {
+        attributes.remove(attribute);
+    }
+
+    /**
+     * Gets the attributes.
+     *
+     * @return a read only {@link List}
+     */
+    public List<ASTChoiceType> getAttributes() {
+        return Collections.unmodifiableList(this.attributes);
+    }
+
+    public void addAttributes(List<ASTChoiceType> attributes) {
+        this.attributes.addAll(attributes);
+    }
+
+    public static class ASTChoiceType implements Serializable {
+
+        private static final long serialVersionUID = 1L;
+        private AttributeType attribute;
+        private EncryptedElementType encryptedAssertion;
+
+        public ASTChoiceType(AttributeType attribute) {
+            super();
+            this.attribute = attribute;
+        }
+
+        public ASTChoiceType(EncryptedElementType encryptedAssertion) {
+            super();
+            this.encryptedAssertion = encryptedAssertion;
+        }
+
+        public AttributeType getAttribute() {
+            return attribute;
+        }
+
+        public EncryptedElementType getEncryptedAssertion() {
+            return encryptedAssertion;
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeType.java
new file mode 100755
index 0000000000..c62111d2bf
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AttributeType.java
@@ -0,0 +1,170 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import javax.xml.namespace.QName;
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+/**
+ * <p>
+ * Java class for AttributeType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AttributeType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AttributeValue" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Name" use="required" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="NameFormat" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="FriendlyName" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AttributeType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<Object> attributeValue = new ArrayList<Object>();
+    protected String name;
+    protected String nameFormat;
+    protected String friendlyName;
+    private Map<QName, String> otherAttributes = new HashMap<QName, String>();
+
+    public AttributeType(String name) {
+        this.name = name;
+    }
+
+    /**
+     * Add an attribute value to the attribute
+     *
+     * @param value {@link Object}
+     */
+    public void addAttributeValue(Object value) {
+        attributeValue.add(value);
+    }
+
+    /**
+     * Remove an attribute value to the attribute
+     *
+     * @param value {@link Object}
+     */
+    public void removeAttributeValue(Object value) {
+        attributeValue.remove(value);
+    }
+
+    /**
+     * Gets the value of the attributeValue property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getAttributeValue().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link Object }
+     */
+    public List<Object> getAttributeValue() {
+        return Collections.unmodifiableList(this.attributeValue);
+    }
+
+    /**
+     * Gets the value of the name property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getName() {
+        return name;
+    }
+
+    /**
+     * Sets the value of the name property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setName(String value) {
+        this.name = value;
+    }
+
+    /**
+     * Gets the value of the nameFormat property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getNameFormat() {
+        return nameFormat;
+    }
+
+    /**
+     * Sets the value of the nameFormat property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setNameFormat(String value) {
+        this.nameFormat = value;
+    }
+
+    /**
+     * Gets the value of the friendlyName property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getFriendlyName() {
+        return friendlyName;
+    }
+
+    /**
+     * Sets the value of the friendlyName property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setFriendlyName(String value) {
+        this.friendlyName = value;
+    }
+
+    /**
+     * Gets a map that contains attributes that aren't bound to any typed property on this class.
+     *
+     * <p>
+     * the map is keyed by the name of the attribute and the value is the string value of the attribute.
+     *
+     * the map returned by this method is live, and you can add new attribute by updating the map directly. Because of
+     * this
+     * design, there's no setter.
+     *
+     * @return always non-null
+     */
+    public Map<QName, String> getOtherAttributes() {
+        return otherAttributes;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AudienceRestrictionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AudienceRestrictionType.java
new file mode 100755
index 0000000000..38e1f9dbae
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AudienceRestrictionType.java
@@ -0,0 +1,75 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AudienceRestrictionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AudienceRestrictionType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:assertion}ConditionAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Audience" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AudienceRestrictionType extends ConditionAbstractType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<URI> audience = new ArrayList<URI>();
+
+    /**
+     * Add an audience
+     *
+     * @param audienceval
+     */
+    public void addAudience(URI audienceval) {
+        audience.add(audienceval);
+    }
+
+    /**
+     * Remove an audience
+     *
+     * @param audienceval
+     */
+    public void removeAudience(URI audienceval) {
+        audience.remove(audienceval);
+    }
+
+    /**
+     * Gets the value of the audience property.
+     */
+    public List<URI> getAudience() {
+        return Collections.unmodifiableList(this.audience);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextClassRefType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextClassRefType.java
new file mode 100755
index 0000000000..00c7611830
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextClassRefType.java
@@ -0,0 +1,72 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+import java.net.URI;
+
+/**
+ * Type that represents an AuthnContextClassRef
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 24, 2010
+ */
+public class AuthnContextClassRefType implements URIType, Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    private final URI value;
+
+    public AuthnContextClassRefType(URI value) {
+        this.value = value;
+    }
+
+    public URI getValue() {
+        return value;
+    }
+
+    @Override
+    public String toString() {
+        return "AuthnContextClassRefType [value=" + value + "]";
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((value == null) ? 0 : value.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        AuthnContextClassRefType other = (AuthnContextClassRefType) obj;
+        if (value == null) {
+            if (other.value != null)
+                return false;
+        } else if (!value.equals(other.value))
+            return false;
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclRefType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclRefType.java
new file mode 100755
index 0000000000..e28ca5c9b1
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclRefType.java
@@ -0,0 +1,66 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+import java.net.URI;
+
+/**
+ * Type that represents an AuthnContextDeclRef
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 24, 2010
+ */
+public class AuthnContextDeclRefType implements URIType, Serializable {
+
+    private static final long serialVersionUID = 1L;
+    private URI value;
+
+    public AuthnContextDeclRefType(URI value) {
+        this.value = value;
+    }
+
+    public URI getValue() {
+        return value;
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((value == null) ? 0 : value.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        AuthnContextDeclRefType other = (AuthnContextDeclRefType) obj;
+        if (value == null) {
+            if (other.value != null)
+                return false;
+        } else if (!value.equals(other.value))
+            return false;
+        return true;
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclType.java
new file mode 100755
index 0000000000..51749b9b5f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextDeclType.java
@@ -0,0 +1,71 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+
+/**
+ * Type that represents an AuthnContextDecl
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 24, 2010
+ */
+public class AuthnContextDeclType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    private Object value;
+
+    public AuthnContextDeclType(Object value) {
+        this.value = value;
+    }
+
+    public Object getValue() {
+        return value;
+    }
+
+    @Override
+    public String toString() {
+        return "AuthnContextDeclType [value=" + value + "]";
+    }
+
+    @Override
+    public int hashCode() {
+        final int prime = 31;
+        int result = 1;
+        result = prime * result + ((value == null) ? 0 : value.hashCode());
+        return result;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (this == obj)
+            return true;
+        if (obj == null)
+            return false;
+        if (getClass() != obj.getClass())
+            return false;
+        AuthnContextDeclType other = (AuthnContextDeclType) obj;
+        if (value == null) {
+            if (other.value != null)
+                return false;
+        } else if (!value.equals(other.value))
+            return false;
+        return true;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextType.java
new file mode 100755
index 0000000000..0f9e18ce28
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnContextType.java
@@ -0,0 +1,208 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+import java.net.URI;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.LinkedHashSet;
+import java.util.Set;
+
+/**
+ * <p>
+ * Java class for AuthnContextType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnContextType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;choice>
+ *           &lt;sequence>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AuthnContextClassRef"/>
+ *             &lt;choice minOccurs="0">
+ *               &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AuthnContextDecl"/>
+ *               &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AuthnContextDeclRef"/>
+ *             &lt;/choice>
+ *           &lt;/sequence>
+ *           &lt;choice>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AuthnContextDecl"/>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AuthnContextDeclRef"/>
+ *           &lt;/choice>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AuthenticatingAuthority" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthnContextType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    private final Set<URI> authenticatingAuthority = new LinkedHashSet<URI>();
+
+    private AuthnContextTypeSequence sequence;
+
+    private final Set<URIType> URITypes = new HashSet<URIType>();
+
+    /**
+     * Add an authenticating authority
+     *
+     * @param aa {@link URI}
+     */
+    public void addAuthenticatingAuthority(URI aa) {
+        authenticatingAuthority.add(aa);
+    }
+
+    /**
+     * Add Authenticating Authority
+     *
+     * @param aas an array of {@link URI}
+     */
+    public void addAuthenticatingAuthority(URI[] aas) {
+        authenticatingAuthority.addAll(Arrays.asList(aas));
+    }
+
+    /**
+     * Remove an authenticating authority
+     *
+     * @param aa
+     */
+    public void removeAuthenticatingAuthority(URI aa) {
+        authenticatingAuthority.remove(aa);
+    }
+
+    /**
+     * Get a read only set of authenticating authority
+     *
+     * @return
+     */
+    public Set<URI> getAuthenticatingAuthority() {
+        return Collections.unmodifiableSet(authenticatingAuthority);
+    }
+
+    /**
+     * Get the sequence
+     *
+     * @return
+     */
+    public AuthnContextTypeSequence getSequence() {
+        return sequence;
+    }
+
+    /**
+     * Set the authn context sequence
+     *
+     * @param sequence
+     */
+    public void setSequence(AuthnContextTypeSequence sequence) {
+        this.sequence = sequence;
+    }
+
+    /**
+     * Add an URI type
+     *
+     * @param aa
+     */
+    public void addURIType(URIType aa) {
+        URITypes.add(aa);
+    }
+
+    /**
+     * Add an array of URI Type
+     *
+     * @param aas
+     */
+    public void addURIType(URIType[] aas) {
+        URITypes.addAll(Arrays.asList(aas));
+    }
+
+    /**
+     * Get a read only set of URI type
+     *
+     * @return
+     */
+    public Set<URIType> getURIType() {
+        return Collections.unmodifiableSet(URITypes);
+    }
+
+    /**
+     * Add an URI type
+     *
+     * @param aa
+     */
+    public void removeURIType(URIType aa) {
+        URITypes.remove(aa);
+    }
+
+    /**
+     * <sequence> <element ref="saml:AuthnContextClassRef"/> <choice minOccurs="0"> <element
+     * ref="saml:AuthnContextDecl"/>
+     * <element ref="saml:AuthnContextDeclRef"/> </choice> </sequence>
+     */
+    public class AuthnContextTypeSequence implements Serializable {
+
+        private static final long serialVersionUID = 1L;
+
+        private AuthnContextClassRefType classRef;
+
+        private AuthnContextDeclType authnContextDecl;
+
+        private final Set<URIType> URITypes = new HashSet<URIType>();
+
+        public AuthnContextClassRefType getClassRef() {
+            return classRef;
+        }
+
+        public void setClassRef(AuthnContextClassRefType classRef) {
+            this.classRef = classRef;
+        }
+
+        public void addURIType(URIType aa) {
+            URITypes.add(aa);
+        }
+
+        public void removeURIType(URIType aa) {
+            URITypes.remove(aa);
+        }
+
+        public void addURIType(URIType[] aas) {
+            URITypes.addAll(Arrays.asList(aas));
+        }
+
+        public Set<URIType> getURIType() {
+            return Collections.unmodifiableSet(URITypes);
+        }
+
+        public AuthnContextDeclType getAuthnContextDecl() {
+            return authnContextDecl;
+        }
+
+        public void setAuthnContextDecl(AuthnContextDeclType authnContextDecl) {
+            this.authnContextDecl = authnContextDecl;
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnStatementType.java
new file mode 100755
index 0000000000..33d8916d68
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthnStatementType.java
@@ -0,0 +1,140 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+/**
+ * <p>
+ * Java class for AuthnStatementType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnStatementType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:assertion}StatementAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}SubjectLocality" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AuthnContext"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="AuthnInstant" use="required" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="SessionIndex" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="SessionNotOnOrAfter" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthnStatementType extends StatementAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected SubjectLocalityType subjectLocality;
+    protected AuthnContextType authnContext;
+    protected XMLGregorianCalendar authnInstant;
+    protected XMLGregorianCalendar sessionNotOnOrAfter;
+
+    protected String sessionIndex;
+
+    public AuthnStatementType(XMLGregorianCalendar instant) {
+        this.authnInstant = instant;
+    }
+
+    /**
+     * Gets the value of the subjectLocality property.
+     *
+     * @return possible object is {@link SubjectLocalityType }
+     */
+    public SubjectLocalityType getSubjectLocality() {
+        return subjectLocality;
+    }
+
+    /**
+     * Sets the value of the subjectLocality property.
+     *
+     * @param value allowed object is {@link SubjectLocalityType }
+     */
+    public void setSubjectLocality(SubjectLocalityType value) {
+        this.subjectLocality = value;
+    }
+
+    /**
+     * Gets the value of the authnContext property.
+     *
+     * @return possible object is {@link AuthnContextType }
+     */
+    public AuthnContextType getAuthnContext() {
+        return authnContext;
+    }
+
+    /**
+     * Sets the value of the authnContext property.
+     *
+     * @param value allowed object is {@link AuthnContextType }
+     */
+    public void setAuthnContext(AuthnContextType value) {
+        this.authnContext = value;
+    }
+
+    /**
+     * Gets the value of the authnInstant property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getAuthnInstant() {
+        return authnInstant;
+    }
+
+    /**
+     * Gets the value of the sessionIndex property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getSessionIndex() {
+        return sessionIndex;
+    }
+
+    /**
+     * Sets the value of the sessionIndex property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setSessionIndex(String value) {
+        this.sessionIndex = value;
+    }
+
+    /**
+     * Gets the value of the sessionNotOnOrAfter property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getSessionNotOnOrAfter() {
+        return sessionNotOnOrAfter;
+    }
+
+    /**
+     * Sets the value of the sessionNotOnOrAfter property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setSessionNotOnOrAfter(XMLGregorianCalendar value) {
+        this.sessionNotOnOrAfter = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthzDecisionStatementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthzDecisionStatementType.java
new file mode 100755
index 0000000000..fa8a861ee3
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/AuthzDecisionStatementType.java
@@ -0,0 +1,134 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AuthzDecisionStatementType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthzDecisionStatementType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:assertion}StatementAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Action" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Evidence" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Resource" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="Decision" use="required" type="{urn:oasis:names:tc:SAML:2.0:assertion}DecisionType" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthzDecisionStatementType extends StatementAbstractType {
+
+    private static final long serialVersionUID = 1L;
+    protected List<ActionType> action = new ArrayList<ActionType>();
+    protected EvidenceType evidence;
+    protected String resource;
+    protected DecisionType decision;
+
+    /**
+     * Get the list of actions (read-only list)
+     *
+     * @return {@link List} read only
+     */
+    public List<ActionType> getAction() {
+        return Collections.unmodifiableList(this.action);
+    }
+
+    /**
+     * Add an action
+     *
+     * @param actionType
+     */
+    public void addAction(ActionType actionType) {
+        action.add(actionType);
+    }
+
+    /**
+     * Remove an action
+     *
+     * @param actionType
+     */
+    public void removeAction(ActionType actionType) {
+        action.remove(actionType);
+    }
+
+    /**
+     * Gets the value of the evidence property.
+     *
+     * @return possible object is {@link EvidenceType }
+     */
+    public EvidenceType getEvidence() {
+        return evidence;
+    }
+
+    /**
+     * Sets the value of the evidence property.
+     *
+     * @param value allowed object is {@link EvidenceType }
+     */
+    public void setEvidence(EvidenceType value) {
+        this.evidence = value;
+    }
+
+    /**
+     * Gets the value of the resource property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getResource() {
+        return resource;
+    }
+
+    /**
+     * Sets the value of the resource property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setResource(String value) {
+        this.resource = value;
+    }
+
+    /**
+     * Gets the value of the decision property.
+     *
+     * @return possible object is {@link DecisionType }
+     */
+    public DecisionType getDecision() {
+        return decision;
+    }
+
+    /**
+     * Sets the value of the decision property.
+     *
+     * @param value allowed object is {@link DecisionType }
+     */
+    public void setDecision(DecisionType value) {
+        this.decision = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/BaseIDAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/BaseIDAbstractType.java
new file mode 100755
index 0000000000..0090d23c66
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/BaseIDAbstractType.java
@@ -0,0 +1,60 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+
+/**
+ * Abstract Type that represents an ID
+ *
+ * <pre>
+ *  &lt;attributeGroup name="IDNameQualifiers">
+ *         &lt;attribute name="NameQualifier" type="string" use="optional"/>
+ *         &lt;attribute name="SPNameQualifier" type="string" use="optional"/>
+ *     &lt;/attributeGroup>
+ *
+ *     &lt;complexType name="BaseIDAbstractType" abstract="true">
+ *         &lt;attributeGroup ref="saml:IDNameQualifiers"/>
+ *     &lt;/complexType>
+ * </pre>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 24, 2010
+ */
+public abstract class BaseIDAbstractType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+    private String nameQualifier;
+    private String sPNameQualifier;
+
+    public String getNameQualifier() {
+        return nameQualifier;
+    }
+
+    public void setNameQualifier(String nameQualifier) {
+        this.nameQualifier = nameQualifier;
+    }
+
+    public String getSPNameQualifier() {
+        return sPNameQualifier;
+    }
+
+    public void setSPNameQualifier(String sPNameQualifier) {
+        this.sPNameQualifier = sPNameQualifier;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionAbstractType.java
new file mode 100755
index 0000000000..64fe2ab3ca
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionAbstractType.java
@@ -0,0 +1,41 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+
+/**
+ * <p>
+ * Java class for ConditionAbstractType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ConditionAbstractType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public abstract class ConditionAbstractType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionsType.java
new file mode 100755
index 0000000000..0d77f40663
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ConditionsType.java
@@ -0,0 +1,81 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import org.keycloak.dom.saml.common.CommonConditionsType;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ConditionsType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ConditionsType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice maxOccurs="unbounded" minOccurs="0">
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Condition"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AudienceRestriction"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}OneTimeUse"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}ProxyRestriction"/>
+ *       &lt;/choice>
+ *       &lt;attribute name="NotBefore" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="NotOnOrAfter" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ConditionsType extends CommonConditionsType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<ConditionAbstractType> conditions = new ArrayList<ConditionAbstractType>();
+
+    /**
+     * Add a condition
+     *
+     * @param condition
+     */
+    public void addCondition(ConditionAbstractType condition) {
+        this.conditions.add(condition);
+    }
+
+    /**
+     * Remove a condition
+     *
+     * @param condition
+     */
+    public void removeCondition(ConditionAbstractType condition) {
+        this.conditions.remove(condition);
+    }
+
+    /**
+     * Gets an read only conditions list.
+     */
+    public List<ConditionAbstractType> getConditions() {
+        return Collections.unmodifiableList(this.conditions);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/DecisionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/DecisionType.java
new file mode 100755
index 0000000000..5f22958081
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/DecisionType.java
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+/**
+ * <p>
+ * Java class for DecisionType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="DecisionType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}string">
+ *     &lt;enumeration value="Permit"/>
+ *     &lt;enumeration value="Deny"/>
+ *     &lt;enumeration value="Indeterminate"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+public enum DecisionType {
+    PERMIT("Permit"), DENY("Deny"), INDETERMINATE("Indeterminate");
+    private final String value;
+
+    DecisionType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static DecisionType fromValue(String v) {
+        for (DecisionType c : DecisionType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedAssertionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedAssertionType.java
new file mode 100755
index 0000000000..31cc80d07d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedAssertionType.java
@@ -0,0 +1,43 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import org.w3c.dom.Element;
+
+/**
+ * Assertion that is encrypted
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 24, 2010
+ */
+public class EncryptedAssertionType extends EncryptedElementType {
+
+    private static final long serialVersionUID = 1L;
+
+    public EncryptedAssertionType() {
+        super();
+    }
+
+    public EncryptedAssertionType(Element el) {
+        super(el);
+    }
+
+    public String getID() {
+        return null;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedElementType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedElementType.java
new file mode 100755
index 0000000000..19c13d6d82
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EncryptedElementType.java
@@ -0,0 +1,56 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import org.w3c.dom.Element;
+
+import java.io.Serializable;
+
+/**
+ * Represents an element that is encrypted
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 24, 2010
+ */
+public class EncryptedElementType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * <complexType name="EncryptedElementType"> <sequence> <element ref="xenc:EncryptedData"/> <element
+     * ref="xenc:EncryptedKey"
+     * minOccurs="0" maxOccurs="unbounded"/> </sequence> </complexType>
+     */
+
+    protected Element encryptedElement;
+
+    public EncryptedElementType() {
+    }
+
+    public EncryptedElementType(Element el) {
+        this.encryptedElement = el;
+    }
+
+    public Element getEncryptedElement() {
+        return encryptedElement;
+    }
+
+    public void setEncryptedElement(Element encryptedElement) {
+        this.encryptedElement = encryptedElement;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EvidenceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EvidenceType.java
new file mode 100755
index 0000000000..47110faed9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/EvidenceType.java
@@ -0,0 +1,121 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for EvidenceType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EvidenceType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice maxOccurs="unbounded">
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AssertionIDRef"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AssertionURIRef"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Assertion"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedAssertion"/>
+ *       &lt;/choice>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class EvidenceType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+    protected List<ChoiceType> evidences = new ArrayList<ChoiceType>();
+
+    /**
+     * Add an evidence
+     *
+     * @param evidence
+     */
+    public void addEvidence(ChoiceType evidence) {
+        evidences.add(evidence);
+    }
+
+    /**
+     * Remove an evidence
+     *
+     * @param evidence
+     */
+    public void removeEvidence(ChoiceType evidence) {
+        evidences.remove(evidence);
+    }
+
+    /**
+     * Get the list of evidences as a read only list
+     *
+     * @return
+     */
+    public List<ChoiceType> evidences() {
+        return Collections.unmodifiableList(evidences);
+    }
+
+    public static class ChoiceType implements Serializable {
+
+        private static final long serialVersionUID = 1L;
+        private String AssertionIDRef;
+        private URI AssertionURIRef;
+        private AssertionType assertion;
+        private EncryptedAssertionType encryptedAssertion;
+
+        public ChoiceType(String assertionIDRef) {
+            AssertionIDRef = assertionIDRef;
+        }
+
+        public ChoiceType(URI assertionURIRef) {
+            AssertionURIRef = assertionURIRef;
+        }
+
+        public ChoiceType(AssertionType assertion) {
+            this.assertion = assertion;
+        }
+
+        public ChoiceType(EncryptedAssertionType encryptedAssertion) {
+            this.encryptedAssertion = encryptedAssertion;
+        }
+
+        public String getAssertionIDRef() {
+            return AssertionIDRef;
+        }
+
+        public URI getAssertionURIRef() {
+            return AssertionURIRef;
+        }
+
+        public AssertionType getAssertion() {
+            return assertion;
+        }
+
+        public EncryptedAssertionType getEncryptedAssertion() {
+            return encryptedAssertion;
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/KeyInfoConfirmationDataType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/KeyInfoConfirmationDataType.java
new file mode 100755
index 0000000000..e11dc49f00
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/KeyInfoConfirmationDataType.java
@@ -0,0 +1,54 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import org.w3c.dom.Element;
+
+/**
+ * <p>
+ * Java class for KeyInfoConfirmationDataType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeyInfoConfirmationDataType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{urn:oasis:names:tc:SAML:2.0:assertion}SubjectConfirmationDataType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}KeyInfo" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class KeyInfoConfirmationDataType extends SubjectConfirmationDataType {
+
+    private static final long serialVersionUID = 2510471236717847074L;
+
+    protected Element keyInfo;
+
+    public Element getKeyInfo() {
+        return keyInfo;
+    }
+
+    public void setKeyInfo(Element keyInfo) {
+        this.keyInfo = keyInfo;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/NameIDType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/NameIDType.java
new file mode 100755
index 0000000000..3f7aec177a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/NameIDType.java
@@ -0,0 +1,74 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.net.URI;
+
+/**
+ * Represents a NameIDType
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 24, 2010
+ */
+public class NameIDType extends BaseIDAbstractType {
+    /*
+     * <complexType name="NameIDType"> <simpleContent> <extension base="string"> <attributeGroup ref="saml:IDNameQualifiers"/>
+     * <attribute name="Format" type="anyURI" use="optional"/> <attribute name="SPProvidedID" type="string" use="optional"/>
+     * </extension> </simpleContent> </complexType>
+     *
+     * <attributeGroup name="IDNameQualifiers"> <attribute name="NameQualifier" type="string" use="optional"/> <attribute
+     * name="SPNameQualifier" type="string" use="optional"/> </attributeGroup>
+     */
+
+    private static final long serialVersionUID = 1L;
+    private String value;
+    private URI format;
+    private String sPProvidedID;
+
+    public String getValue() {
+        return value;
+    }
+
+    public void setValue(String value) {
+        this.value = value;
+    }
+
+    public String getsPProvidedID() {
+        return sPProvidedID;
+    }
+
+    public void setsPProvidedID(String sPProvidedID) {
+        this.sPProvidedID = sPProvidedID;
+    }
+
+    public URI getFormat() {
+        return format;
+    }
+
+    public void setFormat(URI format) {
+        this.format = format;
+    }
+
+    public String getSPProvidedID() {
+        return sPProvidedID;
+    }
+
+    public void setSPProvidedID(String sPProvidedID) {
+        this.sPProvidedID = sPProvidedID;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/OneTimeUseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/OneTimeUseType.java
new file mode 100755
index 0000000000..1898c7b492
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/OneTimeUseType.java
@@ -0,0 +1,39 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+/**
+ * <p>
+ * Java class for OneTimeUseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="OneTimeUseType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:assertion}ConditionAbstractType">
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class OneTimeUseType extends ConditionAbstractType {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ProxyRestrictionType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ProxyRestrictionType.java
new file mode 100755
index 0000000000..5072181a4f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/ProxyRestrictionType.java
@@ -0,0 +1,96 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.math.BigInteger;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ProxyRestrictionType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ProxyRestrictionType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:assertion}ConditionAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Audience" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Count" type="{http://www.w3.org/2001/XMLSchema}nonNegativeInteger" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ProxyRestrictionType extends ConditionAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<URI> audience = new ArrayList<URI>();
+
+    protected BigInteger count;
+
+    /**
+     * Add an audience
+     *
+     * @param a
+     */
+    public void addAudience(URI a) {
+        this.audience.add(a);
+    }
+
+    /**
+     * Gets the value of the audience property.
+     */
+    public List<URI> getAudience() {
+        return Collections.unmodifiableList(audience);
+    }
+
+    /**
+     * Remove an audience
+     *
+     * @param a
+     */
+    public void removeAudience(URI a) {
+        this.audience.remove(a);
+    }
+
+    /**
+     * Gets the value of the count property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getCount() {
+        return count;
+    }
+
+    /**
+     * Sets the value of the count property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setCount(BigInteger value) {
+        this.count = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/StatementAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/StatementAbstractType.java
new file mode 100755
index 0000000000..0230b15b57
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/StatementAbstractType.java
@@ -0,0 +1,42 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+
+/**
+ * <p>
+ * Java class for StatementAbstractType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="StatementAbstractType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public abstract class StatementAbstractType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationDataType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationDataType.java
new file mode 100755
index 0000000000..274104f4f8
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationDataType.java
@@ -0,0 +1,197 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import java.io.Serializable;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * <p>
+ * Java class for SubjectConfirmationDataType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SubjectConfirmationDataType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="NotBefore" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="NotOnOrAfter" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="Recipient" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="InResponseTo" type="{http://www.w3.org/2001/XMLSchema}NCName" />
+ *       &lt;attribute name="Address" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SubjectConfirmationDataType implements Serializable {
+
+    private static final long serialVersionUID = 7695748370849965158L;
+
+    protected XMLGregorianCalendar notBefore;
+
+    protected XMLGregorianCalendar notOnOrAfter;
+
+    protected String recipient;
+
+    protected String inResponseTo;
+
+    protected String address;
+
+    private final Map<QName, String> otherAttributes = new HashMap<QName, String>();
+
+    private Object anyType;
+
+    public Object getAnyType() {
+        return anyType;
+    }
+
+    public void setAnyType(Object anyType) {
+        this.anyType = anyType;
+    }
+
+    /**
+     * Gets the value of the notBefore property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getNotBefore() {
+        return notBefore;
+    }
+
+    /**
+     * Sets the value of the notBefore property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setNotBefore(XMLGregorianCalendar value) {
+        this.notBefore = value;
+    }
+
+    /**
+     * Gets the value of the notOnOrAfter property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getNotOnOrAfter() {
+        return notOnOrAfter;
+    }
+
+    /**
+     * Sets the value of the notOnOrAfter property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setNotOnOrAfter(XMLGregorianCalendar value) {
+        this.notOnOrAfter = value;
+    }
+
+    /**
+     * Gets the value of the recipient property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getRecipient() {
+        return recipient;
+    }
+
+    /**
+     * Sets the value of the recipient property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setRecipient(String value) {
+        this.recipient = value;
+    }
+
+    /**
+     * Gets the value of the inResponseTo property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getInResponseTo() {
+        return inResponseTo;
+    }
+
+    /**
+     * Sets the value of the inResponseTo property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setInResponseTo(String value) {
+        this.inResponseTo = value;
+    }
+
+    /**
+     * Gets the value of the address property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getAddress() {
+        return address;
+    }
+
+    /**
+     * Sets the value of the address property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setAddress(String value) {
+        this.address = value;
+    }
+
+    /**
+     * Gets a map that contains attributes that aren't bound to any typed property on this class.
+     *
+     * <p>
+     * the map is keyed by the name of the attribute and the value is the string value of the attribute.
+     *
+     * @return always non-null
+     */
+    public Map<QName, String> getOtherAttributes() {
+        return Collections.unmodifiableMap(otherAttributes);
+    }
+
+    /**
+     * Add an other attribute
+     *
+     * @param qname
+     * @param str
+     */
+    public void addOtherAttribute(QName qname, String str) {
+        otherAttributes.put(qname, str);
+    }
+
+    /**
+     * Remove an other attribute
+     *
+     * @param qname {@link QName} of the attribute to be removed
+     */
+    public void removeOtherAttribute(QName qname) {
+        otherAttributes.remove(qname);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationType.java
new file mode 100755
index 0000000000..6979022d2b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectConfirmationType.java
@@ -0,0 +1,146 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+
+/**
+ * <p>
+ * Java class for SubjectConfirmationType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SubjectConfirmationType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;choice minOccurs="0">
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}BaseID"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}NameID"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedID"/>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}SubjectConfirmationData" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Method" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SubjectConfirmationType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+    protected BaseIDAbstractType baseID;
+    protected NameIDType nameID;
+    protected EncryptedElementType encryptedID;
+    protected SubjectConfirmationDataType subjectConfirmationData;
+    protected String method;
+
+    /**
+     * Gets the value of the baseID property.
+     *
+     * @return possible object is {@link BaseIDAbstractType }
+     */
+    public BaseIDAbstractType getBaseID() {
+        return baseID;
+    }
+
+    /**
+     * Sets the value of the baseID property.
+     *
+     * @param value allowed object is {@link BaseIDAbstractType }
+     */
+    public void setBaseID(BaseIDAbstractType value) {
+        this.baseID = value;
+    }
+
+    /**
+     * Gets the value of the nameID property.
+     *
+     * @return possible object is {@link NameIDType }
+     */
+    public NameIDType getNameID() {
+        return nameID;
+    }
+
+    /**
+     * Sets the value of the nameID property.
+     *
+     * @param value allowed object is {@link NameIDType }
+     */
+    public void setNameID(NameIDType value) {
+        this.nameID = value;
+    }
+
+    /**
+     * Gets the value of the encryptedID property.
+     *
+     * @return possible object is {@link EncryptedElementType }
+     */
+    public EncryptedElementType getEncryptedID() {
+        return encryptedID;
+    }
+
+    /**
+     * Sets the value of the encryptedID property.
+     *
+     * @param value allowed object is {@link EncryptedElementType }
+     */
+    public void setEncryptedID(EncryptedElementType value) {
+        this.encryptedID = value;
+    }
+
+    /**
+     * Gets the value of the subjectConfirmationData property.
+     *
+     * @return possible object is {@link SubjectConfirmationDataType }
+     */
+    public SubjectConfirmationDataType getSubjectConfirmationData() {
+        return subjectConfirmationData;
+    }
+
+    /**
+     * Sets the value of the subjectConfirmationData property.
+     *
+     * @param value allowed object is {@link SubjectConfirmationDataType }
+     */
+    public void setSubjectConfirmationData(SubjectConfirmationDataType value) {
+        this.subjectConfirmationData = value;
+    }
+
+    /**
+     * Gets the value of the method property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getMethod() {
+        return method;
+    }
+
+    /**
+     * Sets the value of the method property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMethod(String value) {
+        this.method = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectLocalityType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectLocalityType.java
new file mode 100755
index 0000000000..4a8bb60bab
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectLocalityType.java
@@ -0,0 +1,83 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+
+/**
+ * <p>
+ * Java class for SubjectLocalityType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SubjectLocalityType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="Address" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="DNSName" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SubjectLocalityType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected String address;
+
+    protected String dnsName;
+
+    /**
+     * Gets the value of the address property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getAddress() {
+        return address;
+    }
+
+    /**
+     * Sets the value of the address property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setAddress(String value) {
+        this.address = value;
+    }
+
+    /**
+     * Gets the value of the dnsName property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getDNSName() {
+        return dnsName;
+    }
+
+    /**
+     * Sets the value of the dnsName property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setDNSName(String value) {
+        this.dnsName = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectType.java
new file mode 100755
index 0000000000..61aeb089b1
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/SubjectType.java
@@ -0,0 +1,153 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.io.Serializable;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SubjectType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SubjectType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice>
+ *         &lt;sequence>
+ *           &lt;choice>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}BaseID"/>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}NameID"/>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedID"/>
+ *           &lt;/choice>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}SubjectConfirmation" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;/sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}SubjectConfirmation" maxOccurs="unbounded"/>
+ *       &lt;/choice>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SubjectType implements Serializable {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<SubjectConfirmationType> subjectConfirmation = new ArrayList<SubjectConfirmationType>();
+
+    protected STSubType subType;
+
+    /**
+     * Get the {@link STSubType}
+     *
+     * @return
+     */
+    public STSubType getSubType() {
+        return subType;
+    }
+
+    /**
+     * Set the {@link STSubType}
+     *
+     * @param subType
+     */
+    public void setSubType(STSubType subType) {
+        this.subType = subType;
+    }
+
+    /**
+     * Get the size of subject confirmations
+     *
+     * @return
+     */
+    public int getCount() {
+        return subjectConfirmation.size();
+    }
+
+    /**
+     * Get a list of subject confirmations
+     *
+     * @return {@link} read only list of subject confirmation
+     */
+    public List<SubjectConfirmationType> getConfirmation() {
+        return Collections.unmodifiableList(subjectConfirmation);
+    }
+
+    /**
+     * Add a subject confirmation
+     *
+     * @param con
+     */
+    public void addConfirmation(SubjectConfirmationType con) {
+        subjectConfirmation.add(con);
+    }
+
+    /**
+     * Remove a subject confirmation
+     *
+     * @param con
+     */
+    public void removeConfirmation(SubjectConfirmationType con) {
+        subjectConfirmation.remove(con);
+    }
+
+    public static class STSubType implements Serializable {
+
+        private static final long serialVersionUID = -4073731807610876524L;
+
+        private BaseIDAbstractType baseID;
+
+        private EncryptedElementType encryptedID;
+
+        protected List<SubjectConfirmationType> subjectConfirmation = new ArrayList<SubjectConfirmationType>();
+
+        public void addBaseID(BaseIDAbstractType base) {
+            this.baseID = base;
+        }
+
+        public BaseIDAbstractType getBaseID() {
+            return baseID;
+        }
+
+        public EncryptedElementType getEncryptedID() {
+            return encryptedID;
+        }
+
+        public void setEncryptedID(EncryptedElementType encryptedID) {
+            this.encryptedID = encryptedID;
+        }
+
+        public void addConfirmation(SubjectConfirmationType con) {
+            subjectConfirmation.add(con);
+        }
+
+        public int getCount() {
+            return subjectConfirmation.size();
+        }
+
+        public List<SubjectConfirmationType> getConfirmation() {
+            return Collections.unmodifiableList(subjectConfirmation);
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/URIType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/URIType.java
new file mode 100755
index 0000000000..315f2bc3ed
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/URIType.java
@@ -0,0 +1,31 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.assertion;
+
+import java.net.URI;
+
+/**
+ * A type that holds {@code URI}
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 24, 2010
+ */
+public interface URIType {
+
+    URI getValue();
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/package-info.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/package-info.java
new file mode 100755
index 0000000000..bd5ce84f84
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/assertion/package-info.java
@@ -0,0 +1,22 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Package for the model classes for the SAML2 Assertion
+ */
+package org.keycloak.dom.saml.v2.assertion;
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AdditionalMetadataLocationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AdditionalMetadataLocationType.java
new file mode 100755
index 0000000000..255960a7e7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AdditionalMetadataLocationType.java
@@ -0,0 +1,80 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for AdditionalMetadataLocationType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AdditionalMetadataLocationType">
+ *   &lt;simpleContent>
+ *     &lt;extension base="&lt;http://www.w3.org/2001/XMLSchema>anyURI">
+ *       &lt;attribute name="namespace" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/extension>
+ *   &lt;/simpleContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AdditionalMetadataLocationType {
+
+    protected URI value;
+
+    protected URI namespace;
+
+    /**
+     * Gets the value of the value property.
+     *
+     * @return possible object is {@link URI }
+     */
+    public URI getValue() {
+        return value;
+    }
+
+    /**
+     * Sets the value of the value property.
+     *
+     * @param value allowed object is {@link URI }
+     */
+    public void setValue(URI value) {
+        this.value = value;
+    }
+
+    /**
+     * Gets the value of the namespace property.
+     *
+     * @return possible object is {@link URI }
+     */
+    public URI getNamespace() {
+        return namespace;
+    }
+
+    /**
+     * Sets the value of the namespace property.
+     *
+     * @param value allowed object is {@link URI }
+     */
+    public void setNamespace(URI value) {
+        this.namespace = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AffiliationDescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AffiliationDescriptorType.java
new file mode 100755
index 0000000000..6d0aa3e9f3
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AffiliationDescriptorType.java
@@ -0,0 +1,233 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType;
+
+import javax.xml.datatype.Duration;
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AffiliationDescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AffiliationDescriptorType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Signature" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}Extensions" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AffiliateMember" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}KeyDescriptor" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="affiliationOwnerID" use="required" type="{urn:oasis:names:tc:SAML:2.0:metadata}entityIDType"
+ * />
+ *       &lt;attribute name="validUntil" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="cacheDuration" type="{http://www.w3.org/2001/XMLSchema}duration" />
+ *       &lt;attribute name="ID" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AffiliationDescriptorType extends TypeWithOtherAttributes {
+
+    protected SignatureType signature;
+
+    protected ExtensionsType extensions;
+
+    protected List<String> affiliateMember;
+
+    protected List<KeyDescriptorType> keyDescriptor;
+
+    protected String affiliationOwnerID;
+
+    protected XMLGregorianCalendar validUntil;
+
+    protected Duration cacheDuration;
+
+    protected String id;
+
+    /**
+     * Gets the value of the signature property.
+     *
+     * @return possible object is {@link SignatureType }
+     */
+    public SignatureType getSignature() {
+        return signature;
+    }
+
+    /**
+     * Sets the value of the signature property.
+     *
+     * @param value allowed object is {@link SignatureType }
+     */
+    public void setSignature(SignatureType value) {
+        this.signature = value;
+    }
+
+    /**
+     * Gets the value of the extensions property.
+     *
+     * @return possible object is {@link ExtensionsType }
+     */
+    public ExtensionsType getExtensions() {
+        return extensions;
+    }
+
+    /**
+     * Sets the value of the extensions property.
+     *
+     * @param value allowed object is {@link ExtensionsType }
+     */
+    public void setExtensions(ExtensionsType value) {
+        this.extensions = value;
+    }
+
+    /**
+     * Gets the value of the affiliateMember property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * affiliateMember property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getAffiliateMember().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getAffiliateMember() {
+        if (affiliateMember == null) {
+            affiliateMember = new ArrayList<String>();
+        }
+        return this.affiliateMember;
+    }
+
+    /**
+     * Gets the value of the keyDescriptor property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * keyDescriptor property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getKeyDescriptor().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link KeyDescriptorType }
+     */
+    public List<KeyDescriptorType> getKeyDescriptor() {
+        if (keyDescriptor == null) {
+            keyDescriptor = new ArrayList<KeyDescriptorType>();
+        }
+        return this.keyDescriptor;
+    }
+
+    /**
+     * Gets the value of the affiliationOwnerID property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getAffiliationOwnerID() {
+        return affiliationOwnerID;
+    }
+
+    /**
+     * Sets the value of the affiliationOwnerID property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setAffiliationOwnerID(String value) {
+        this.affiliationOwnerID = value;
+    }
+
+    /**
+     * Gets the value of the validUntil property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getValidUntil() {
+        return validUntil;
+    }
+
+    /**
+     * Sets the value of the validUntil property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setValidUntil(XMLGregorianCalendar value) {
+        this.validUntil = value;
+    }
+
+    /**
+     * Gets the value of the cacheDuration property.
+     *
+     * @return possible object is {@link Duration }
+     */
+    public Duration getCacheDuration() {
+        return cacheDuration;
+    }
+
+    /**
+     * Sets the value of the cacheDuration property.
+     *
+     * @param value allowed object is {@link Duration }
+     */
+    public void setCacheDuration(Duration value) {
+        this.cacheDuration = value;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getID() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setID(String value) {
+        this.id = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AttributeAuthorityDescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AttributeAuthorityDescriptorType.java
new file mode 100755
index 0000000000..3855ec163f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AttributeAuthorityDescriptorType.java
@@ -0,0 +1,203 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AttributeAuthorityDescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AttributeAuthorityDescriptorType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptorType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AttributeService" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AssertionIDRequestService" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat" maxOccurs="unbounded" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AttributeProfile" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Attribute" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+
+public class AttributeAuthorityDescriptorType extends RoleDescriptorType {
+
+    protected List<EndpointType> attributeService = new ArrayList<EndpointType>();
+
+    protected List<EndpointType> assertionIDRequestService = new ArrayList<EndpointType>();
+
+    protected List<String> nameIDFormat = new ArrayList<String>();
+
+    protected List<String> attributeProfile = new ArrayList<String>();
+
+    protected List<AttributeType> attribute = new ArrayList<AttributeType>();
+
+    public AttributeAuthorityDescriptorType(List<String> protocolSupport) {
+        super(protocolSupport);
+    }
+
+    /**
+     * Add an attribute service
+     *
+     * @param endpoint
+     */
+    public void addAttributeService(EndpointType endpoint) {
+        this.attributeService.add(endpoint);
+    }
+
+    /**
+     * Add an assertion id request service
+     *
+     * @param endpoint
+     */
+    public void addAssertionIDRequestService(EndpointType endpoint) {
+        this.assertionIDRequestService.add(endpoint);
+    }
+
+    /**
+     * Add a name id
+     *
+     * @param str
+     */
+    public void addNameIDFormat(String str) {
+        this.nameIDFormat.add(str);
+    }
+
+    /**
+     * Add an attribute profile
+     *
+     * @param str
+     */
+    public void addAttributeProfile(String str) {
+        this.attributeProfile.add(str);
+    }
+
+    /**
+     * Add an attribute
+     *
+     * @param attribute
+     */
+    public void addAttribute(AttributeType attribute) {
+        this.attribute.add(attribute);
+    }
+
+    /**
+     * Remove an attribute service
+     *
+     * @param endpoint
+     */
+    public void removeAttributeService(EndpointType endpoint) {
+        this.attributeService.remove(endpoint);
+    }
+
+    /**
+     * Remove assertion id request service
+     *
+     * @param endpoint
+     */
+    public void removeAssertionIDRequestService(EndpointType endpoint) {
+        this.assertionIDRequestService.remove(endpoint);
+    }
+
+    /**
+     * Remove Name ID
+     *
+     * @param str
+     */
+    public void removeNameIDFormat(String str) {
+        this.nameIDFormat.remove(str);
+    }
+
+    /**
+     * Remove attribute profile
+     *
+     * @param str
+     */
+    public void removeAttributeProfile(String str) {
+        this.attributeProfile.remove(str);
+    }
+
+    /**
+     * Remove attribute
+     *
+     * @param attribute
+     */
+    public void removeAttribute(AttributeType attribute) {
+        this.attribute.remove(attribute);
+    }
+
+    /**
+     * Gets the value of the attributeService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getAttributeService() {
+        return Collections.unmodifiableList(this.attributeService);
+    }
+
+    /**
+     * Gets the value of the assertionIDRequestService property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getAssertionIDRequestService() {
+        return Collections.unmodifiableList(this.assertionIDRequestService);
+    }
+
+    /**
+     * Gets the value of the nameIDFormat property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getNameIDFormat() {
+        return Collections.unmodifiableList(this.nameIDFormat);
+    }
+
+    /**
+     * Gets the value of the attributeProfile property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getAttributeProfile() {
+        return Collections.unmodifiableList(this.attributeProfile);
+    }
+
+    /**
+     * Gets the value of the attribute property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link AttributeType }
+     */
+    public List<AttributeType> getAttribute() {
+        return Collections.unmodifiableList(this.attribute);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AttributeConsumingServiceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AttributeConsumingServiceType.java
new file mode 100755
index 0000000000..de24312f75
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AttributeConsumingServiceType.java
@@ -0,0 +1,169 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AttributeConsumingServiceType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AttributeConsumingServiceType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}ServiceName" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}ServiceDescription" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}RequestedAttribute" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="index" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedShort" />
+ *       &lt;attribute name="isDefault" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AttributeConsumingServiceType {
+
+    protected List<LocalizedNameType> serviceName = new ArrayList<LocalizedNameType>();
+
+    protected List<LocalizedNameType> serviceDescription = new ArrayList<LocalizedNameType>();
+
+    protected List<RequestedAttributeType> requestedAttribute = new ArrayList<RequestedAttributeType>();
+
+    protected int index;
+
+    protected Boolean isDefault = Boolean.FALSE;
+
+    public AttributeConsumingServiceType(int index) {
+        this.index = index;
+    }
+
+    /**
+     * Add serviceName
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link LocalizedNameType }
+     */
+    public void addServiceName(LocalizedNameType service) {
+        this.serviceName.add(service);
+    }
+
+    /**
+     * Add serviceDescription.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link LocalizedNameType }
+     */
+    public void addServiceDescription(LocalizedNameType desc) {
+        this.serviceDescription.add(desc);
+    }
+
+    /**
+     * Add requestedAttribute
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link RequestedAttributeType }
+     */
+    public void addRequestedAttribute(RequestedAttributeType req) {
+        this.requestedAttribute.add(req);
+    }
+
+    /**
+     * remove serviceName
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link LocalizedNameType }
+     */
+    public void removeServiceName(LocalizedNameType service) {
+        this.serviceName.remove(service);
+    }
+
+    /**
+     * remove serviceDescription.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link LocalizedNameType }
+     */
+    public void removeServiceDescription(LocalizedNameType desc) {
+        this.serviceDescription.remove(desc);
+    }
+
+    /**
+     * remove requestedAttribute
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link RequestedAttributeType }
+     */
+    public void removeRequestedAttribute(RequestedAttributeType req) {
+        this.requestedAttribute.remove(req);
+    }
+
+    /**
+     * Gets the value of the serviceName property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link LocalizedNameType }
+     */
+    public List<LocalizedNameType> getServiceName() {
+        return Collections.unmodifiableList(this.serviceName);
+    }
+
+    /**
+     * Gets the value of the serviceDescription property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link LocalizedNameType }
+     */
+    public List<LocalizedNameType> getServiceDescription() {
+        return Collections.unmodifiableList(this.serviceDescription);
+    }
+
+    /**
+     * Gets the value of the requestedAttribute property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link RequestedAttributeType }
+     */
+    public List<RequestedAttributeType> getRequestedAttribute() {
+        return Collections.unmodifiableList(this.requestedAttribute);
+    }
+
+    /**
+     * Gets the value of the index property.
+     */
+    public int getIndex() {
+        return index;
+    }
+
+    /**
+     * Gets the value of the isDefault property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isIsDefault() {
+        return isDefault;
+    }
+
+    /**
+     * Sets the value of the isDefault property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setIsDefault(Boolean value) {
+        this.isDefault = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AuthnAuthorityDescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AuthnAuthorityDescriptorType.java
new file mode 100755
index 0000000000..9ac9618de8
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/AuthnAuthorityDescriptorType.java
@@ -0,0 +1,138 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AuthnAuthorityDescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnAuthorityDescriptorType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptorType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AuthnQueryService" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AssertionIDRequestService" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthnAuthorityDescriptorType extends RoleDescriptorType {
+
+    protected List<EndpointType> authnQueryService = new ArrayList<EndpointType>();
+
+    protected List<EndpointType> assertionIDRequestService = new ArrayList<EndpointType>();
+
+    protected List<String> nameIDFormat = new ArrayList<String>();
+
+    public AuthnAuthorityDescriptorType(List<String> protocolSupport) {
+        super(protocolSupport);
+    }
+
+    /**
+     * Add authn query service
+     *
+     * @param endpoint
+     */
+    public void addAuthnQueryService(EndpointType endpoint) {
+        this.authnQueryService.add(endpoint);
+    }
+
+    /**
+     * Add assertion id request service
+     *
+     * @param endpoint
+     */
+    public void addAssertionIDRequestService(EndpointType endpoint) {
+        this.assertionIDRequestService.add(endpoint);
+    }
+
+    /**
+     * Add name id format
+     *
+     * @param str
+     */
+    public void addNameIDFormat(String str) {
+        this.nameIDFormat.add(str);
+    }
+
+    /**
+     * Remove authn query service
+     *
+     * @param endpoint
+     */
+    public void removeAuthnQueryService(EndpointType endpoint) {
+        this.authnQueryService.remove(endpoint);
+    }
+
+    /**
+     * remove assertion id request service
+     *
+     * @param endpoint
+     */
+    public void removeAssertionIDRequestService(EndpointType endpoint) {
+        this.assertionIDRequestService.remove(endpoint);
+    }
+
+    /**
+     * remove name id format
+     *
+     * @param str
+     */
+    public void removeNameIDFormat(String str) {
+        this.nameIDFormat.remove(str);
+    }
+
+    /**
+     * Gets the value of the authnQueryService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getAuthnQueryService() {
+        return Collections.unmodifiableList(this.authnQueryService);
+    }
+
+    /**
+     * Gets the value of the assertionIDRequestService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getAssertionIDRequestService() {
+        return Collections.unmodifiableList(this.assertionIDRequestService);
+    }
+
+    /**
+     * Gets the value of the nameIDFormat property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getNameIDFormat() {
+        return Collections.unmodifiableList(this.nameIDFormat);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ContactType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ContactType.java
new file mode 100755
index 0000000000..23a24acd4a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ContactType.java
@@ -0,0 +1,214 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ContactType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ContactType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}Extensions" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}Company" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}GivenName" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}SurName" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}EmailAddress" maxOccurs="unbounded" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}TelephoneNumber" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="contactType" use="required" type="{urn:oasis:names:tc:SAML:2.0:metadata}ContactTypeType"
+ * />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ContactType extends TypeWithOtherAttributes {
+
+    protected ExtensionsType extensions;
+
+    protected String company;
+
+    protected String givenName;
+
+    protected String surName;
+
+    protected List<String> emailAddress = new ArrayList<String>();
+
+    protected List<String> telephoneNumber = new ArrayList<String>();
+
+    protected ContactTypeType contactType;
+
+    public ContactType(ContactTypeType contactType) {
+        this.contactType = contactType;
+    }
+
+    /**
+     * Gets the value of the extensions property.
+     *
+     * @return possible object is {@link ExtensionsType }
+     */
+    public ExtensionsType getExtensions() {
+        return extensions;
+    }
+
+    /**
+     * Sets the value of the extensions property.
+     *
+     * @param value allowed object is {@link ExtensionsType }
+     */
+    public void setExtensions(ExtensionsType value) {
+        this.extensions = value;
+    }
+
+    /**
+     * Gets the value of the company property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getCompany() {
+        return company;
+    }
+
+    /**
+     * Sets the value of the company property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setCompany(String value) {
+        this.company = value;
+    }
+
+    /**
+     * Gets the value of the givenName property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getGivenName() {
+        return givenName;
+    }
+
+    /**
+     * Sets the value of the givenName property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setGivenName(String value) {
+        this.givenName = value;
+    }
+
+    /**
+     * Gets the value of the surName property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getSurName() {
+        return surName;
+    }
+
+    /**
+     * Sets the value of the surName property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setSurName(String value) {
+        this.surName = value;
+    }
+
+    /**
+     * Add an email address
+     *
+     * @param email
+     */
+    public void addEmailAddress(String email) {
+        this.emailAddress.add(email);
+    }
+
+    /**
+     * remove a telephone
+     *
+     * @param tel
+     */
+    public void removeTelephone(String tel) {
+        this.telephoneNumber.remove(tel);
+    }
+
+    /**
+     * remove an email address
+     *
+     * @param email
+     */
+    public void removeEmailAddress(String email) {
+        this.emailAddress.remove(email);
+    }
+
+    /**
+     * Add a telephone
+     *
+     * @param tel
+     */
+    public void addTelephone(String tel) {
+        this.telephoneNumber.add(tel);
+    }
+
+    /**
+     * Gets the value of the emailAddress property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getEmailAddress() {
+        return Collections.unmodifiableList(this.emailAddress);
+    }
+
+    /**
+     * Gets the value of the telephoneNumber property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getTelephoneNumber() {
+        return Collections.unmodifiableList(this.telephoneNumber);
+    }
+
+    /**
+     * Gets the value of the contactType property.
+     *
+     * @return possible object is {@link ContactTypeType }
+     */
+    public ContactTypeType getContactType() {
+        return contactType;
+    }
+
+    /**
+     * Sets the value of the contactType property.
+     *
+     * @param value allowed object is {@link ContactTypeType }
+     */
+    public void setContactType(ContactTypeType value) {
+        this.contactType = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ContactTypeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ContactTypeType.java
new file mode 100755
index 0000000000..d448c2bb1d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ContactTypeType.java
@@ -0,0 +1,61 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+/**
+ * <p>
+ * Java class for ContactTypeType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="ContactTypeType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}string">
+ *     &lt;enumeration value="technical"/>
+ *     &lt;enumeration value="support"/>
+ *     &lt;enumeration value="administrative"/>
+ *     &lt;enumeration value="billing"/>
+ *     &lt;enumeration value="other"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+public enum ContactTypeType {
+    TECHNICAL("technical"), SUPPORT("support"), ADMINISTRATIVE("administrative"), BILLING("billing"), OTHER("other");
+    private final String value;
+
+    ContactTypeType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static ContactTypeType fromValue(String v) {
+        for (ContactTypeType c : ContactTypeType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EndpointType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EndpointType.java
new file mode 100755
index 0000000000..96104f4197
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EndpointType.java
@@ -0,0 +1,124 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for EndpointType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EndpointType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Binding" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="Location" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="ResponseLocation" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class EndpointType extends TypeWithOtherAttributes {
+
+    protected List<Object> any = new ArrayList<Object>();
+
+    protected URI binding;
+
+    protected URI location;
+
+    protected URI responseLocation;
+
+    public EndpointType(URI binding, URI location) {
+        this.binding = binding;
+        this.location = location;
+    }
+
+    /**
+     * Add an object
+     *
+     * @param obj
+     */
+    public void addObject(Object obj) {
+        this.any.add(obj);
+    }
+
+    /**
+     * remove an object
+     *
+     * @param obj
+     */
+    public void removeObject(Object obj) {
+        this.any.remove(obj);
+    }
+
+    /**
+     * Gets the value of the any property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link org.w3c.dom.Element } {@link Object }
+     */
+    public List<Object> getAny() {
+        return Collections.unmodifiableList(this.any);
+    }
+
+    /**
+     * Gets the value of the binding property.
+     *
+     * @return possible object is {@link URI }
+     */
+    public URI getBinding() {
+        return binding;
+    }
+
+    /**
+     * Gets the value of the location property.
+     *
+     * @return possible object is {@link URI }
+     */
+    public URI getLocation() {
+        return location;
+    }
+
+    /**
+     * Gets the value of the responseLocation property.
+     *
+     * @return possible object is {@link URI }
+     */
+    public URI getResponseLocation() {
+        return responseLocation;
+    }
+
+    /**
+     * Sets the value of the responseLocation property.
+     *
+     * @param value allowed object is {@link URI }
+     */
+    public void setResponseLocation(URI value) {
+        this.responseLocation = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EntitiesDescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EntitiesDescriptorType.java
new file mode 100755
index 0000000000..895a665ffe
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EntitiesDescriptorType.java
@@ -0,0 +1,207 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.Duration;
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for EntitiesDescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EntitiesDescriptorType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Signature" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}Extensions" minOccurs="0"/>
+ *         &lt;choice maxOccurs="unbounded">
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}EntityDescriptor"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}EntitiesDescriptor"/>
+ *         &lt;/choice>
+ *       &lt;/sequence>
+ *       &lt;attribute name="validUntil" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="cacheDuration" type="{http://www.w3.org/2001/XMLSchema}duration" />
+ *       &lt;attribute name="ID" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *       &lt;attribute name="Name" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class EntitiesDescriptorType {
+
+    protected Element signature;
+
+    protected ExtensionsType extensions;
+
+    protected List<Object> entityDescriptor = new ArrayList<Object>();
+
+    protected XMLGregorianCalendar validUntil;
+
+    protected Duration cacheDuration;
+
+    protected String id;
+
+    protected String name;
+
+    /**
+     * Gets the value of the signature property.
+     *
+     * @return possible object is {@link Element }
+     */
+    public Element getSignature() {
+        return signature;
+    }
+
+    /**
+     * Sets the value of the signature property.
+     *
+     * @param value allowed object is {@link Element }
+     */
+    public void setSignature(Element value) {
+        this.signature = value;
+    }
+
+    /**
+     * Gets the value of the extensions property.
+     *
+     * @return possible object is {@link ExtensionsType }
+     */
+    public ExtensionsType getExtensions() {
+        return extensions;
+    }
+
+    /**
+     * Sets the value of the extensions property.
+     *
+     * @param value allowed object is {@link ExtensionsType }
+     */
+    public void setExtensions(ExtensionsType value) {
+        this.extensions = value;
+    }
+
+    /**
+     * Add an entity descriptor
+     *
+     * @param obj
+     */
+    public void addEntityDescriptor(Object obj) {
+        this.entityDescriptor.add(obj);
+    }
+
+    /**
+     * Remove an entity descriptor
+     *
+     * @param obj
+     */
+    public void removeEntityDescriptor(Object obj) {
+        this.entityDescriptor.remove(obj);
+    }
+
+    /**
+     * Gets the value of the entityDescriptorOrEntitiesDescriptor property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EntitiesDescriptorType } {@link
+     * EntityDescriptorType }
+     */
+    public List<Object> getEntityDescriptor() {
+        return Collections.unmodifiableList(this.entityDescriptor);
+    }
+
+    /**
+     * Gets the value of the validUntil property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getValidUntil() {
+        return validUntil;
+    }
+
+    /**
+     * Sets the value of the validUntil property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setValidUntil(XMLGregorianCalendar value) {
+        this.validUntil = value;
+    }
+
+    /**
+     * Gets the value of the cacheDuration property.
+     *
+     * @return possible object is {@link Duration }
+     */
+    public Duration getCacheDuration() {
+        return cacheDuration;
+    }
+
+    /**
+     * Sets the value of the cacheDuration property.
+     *
+     * @param value allowed object is {@link Duration }
+     */
+    public void setCacheDuration(Duration value) {
+        this.cacheDuration = value;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getID() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setID(String value) {
+        this.id = value;
+    }
+
+    /**
+     * Gets the value of the name property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getName() {
+        return name;
+    }
+
+    /**
+     * Sets the value of the name property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setName(String value) {
+        this.name = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EntityDescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EntityDescriptorType.java
new file mode 100755
index 0000000000..a8a39b0eab
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/EntityDescriptorType.java
@@ -0,0 +1,391 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.Duration;
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for EntityDescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EntityDescriptorType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Signature" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}Extensions" minOccurs="0"/>
+ *         &lt;choice>
+ *           &lt;choice maxOccurs="unbounded">
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptor"/>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}IDPSSODescriptor"/>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}SPSSODescriptor"/>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AuthnAuthorityDescriptor"/>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AttributeAuthorityDescriptor"/>
+ *             &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}PDPDescriptor"/>
+ *           &lt;/choice>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AffiliationDescriptor"/>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}Organization" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}ContactPerson" maxOccurs="unbounded" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AdditionalMetadataLocation" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="entityID" use="required" type="{urn:oasis:names:tc:SAML:2.0:metadata}entityIDType" />
+ *       &lt;attribute name="validUntil" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="cacheDuration" type="{http://www.w3.org/2001/XMLSchema}duration" />
+ *       &lt;attribute name="ID" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class EntityDescriptorType extends TypeWithOtherAttributes {
+
+    public static class EDTChoiceType {
+
+        private List<EDTDescriptorChoiceType> descriptors = new ArrayList<EntityDescriptorType.EDTDescriptorChoiceType>();
+
+        private AffiliationDescriptorType affiliationDescriptor;
+
+        public EDTChoiceType(List<EDTDescriptorChoiceType> descriptors) {
+            this.descriptors = descriptors;
+        }
+
+        public EDTChoiceType(AffiliationDescriptorType affiliationDescriptor) {
+            this.affiliationDescriptor = affiliationDescriptor;
+        }
+
+        public List<EDTDescriptorChoiceType> getDescriptors() {
+            return Collections.unmodifiableList(descriptors);
+        }
+
+        public AffiliationDescriptorType getAffiliationDescriptor() {
+            return affiliationDescriptor;
+        }
+
+        public static EDTChoiceType oneValue(EDTDescriptorChoiceType edt) {
+            List<EDTDescriptorChoiceType> aList = new ArrayList<EntityDescriptorType.EDTDescriptorChoiceType>();
+            aList.add(edt);
+            return new EDTChoiceType(aList);
+        }
+    }
+
+    public static class EDTDescriptorChoiceType {
+
+        private RoleDescriptorType roleDescriptor;
+
+        private IDPSSODescriptorType idpDescriptor;
+
+        private SPSSODescriptorType spDescriptor;
+
+        private AuthnAuthorityDescriptorType authnDescriptor;
+
+        private AttributeAuthorityDescriptorType attribDescriptor;
+
+        private PDPDescriptorType pdpDescriptor;
+
+        public EDTDescriptorChoiceType(AuthnAuthorityDescriptorType authnDescriptor) {
+            this.authnDescriptor = authnDescriptor;
+        }
+
+        public EDTDescriptorChoiceType(AttributeAuthorityDescriptorType attribDescriptor) {
+            this.attribDescriptor = attribDescriptor;
+        }
+
+        public EDTDescriptorChoiceType(PDPDescriptorType pdpDescriptor) {
+            this.pdpDescriptor = pdpDescriptor;
+        }
+
+        public EDTDescriptorChoiceType(SSODescriptorType sso) {
+            if (sso instanceof IDPSSODescriptorType) {
+                this.idpDescriptor = (IDPSSODescriptorType) sso;
+            } else
+                this.spDescriptor = (SPSSODescriptorType) sso;
+        }
+
+        public EDTDescriptorChoiceType(RoleDescriptorType roleDescriptor) {
+            this.roleDescriptor = roleDescriptor;
+        }
+
+        public RoleDescriptorType getRoleDescriptor() {
+            return roleDescriptor;
+        }
+
+        public IDPSSODescriptorType getIdpDescriptor() {
+            return idpDescriptor;
+        }
+
+        public SPSSODescriptorType getSpDescriptor() {
+            return spDescriptor;
+        }
+
+        public AuthnAuthorityDescriptorType getAuthnDescriptor() {
+            return authnDescriptor;
+        }
+
+        public AttributeAuthorityDescriptorType getAttribDescriptor() {
+            return attribDescriptor;
+        }
+
+        public PDPDescriptorType getPdpDescriptor() {
+            return pdpDescriptor;
+        }
+    }
+
+    protected Element signature;
+
+    protected ExtensionsType extensions;
+
+    protected List<EDTChoiceType> choiceType = new ArrayList<EntityDescriptorType.EDTChoiceType>();
+
+    protected OrganizationType organization;
+
+    protected List<ContactType> contactPerson = new ArrayList<ContactType>();
+
+    protected List<AdditionalMetadataLocationType> additionalMetadataLocation = new ArrayList<AdditionalMetadataLocationType>();
+
+    protected String entityID;
+
+    protected XMLGregorianCalendar validUntil;
+
+    protected Duration cacheDuration;
+
+    protected String id;
+
+    public EntityDescriptorType(String entityID) {
+        this.entityID = entityID;
+    }
+
+    /**
+     * Gets the value of the signature property.
+     *
+     * @return possible object is {@link Element }
+     */
+    public Element getSignature() {
+        return signature;
+    }
+
+    /**
+     * Sets the value of the signature property.
+     *
+     * @param value allowed object is {@link Element }
+     */
+    public void setSignature(Element value) {
+        this.signature = value;
+    }
+
+    /**
+     * Gets the value of the extensions property.
+     *
+     * @return possible object is {@link ExtensionsType }
+     */
+    public ExtensionsType getExtensions() {
+        return extensions;
+    }
+
+    /**
+     * Sets the value of the extensions property.
+     *
+     * @param value allowed object is {@link ExtensionsType }
+     */
+    public void setExtensions(ExtensionsType value) {
+        this.extensions = value;
+    }
+
+    /**
+     * Get a read only list of choice types
+     *
+     * @return
+     */
+    public List<EDTChoiceType> getChoiceType() {
+        return Collections.unmodifiableList(choiceType);
+    }
+
+    /**
+     * Add a choice type
+     *
+     * @param choiceType
+     */
+    public void addChoiceType(EDTChoiceType choiceType) {
+        this.choiceType.add(choiceType);
+    }
+
+    /**
+     * Remove a choice type
+     *
+     * @param choiceType
+     */
+    public void removeChoiceType(EDTChoiceType choiceType) {
+        this.choiceType.remove(choiceType);
+    }
+
+    /**
+     * Gets the value of the organization property.
+     *
+     * @return possible object is {@link OrganizationType }
+     */
+    public OrganizationType getOrganization() {
+        return organization;
+    }
+
+    /**
+     * Sets the value of the organization property.
+     *
+     * @param value allowed object is {@link OrganizationType }
+     */
+    public void setOrganization(OrganizationType value) {
+        this.organization = value;
+    }
+
+    /**
+     * Add a {@link ContactType} contact person
+     *
+     * @param ct
+     */
+    public void addContactPerson(ContactType ct) {
+        contactPerson.add(ct);
+    }
+
+    public void removeContactPerson(ContactType ct) {
+        contactPerson.remove(ct);
+    }
+
+    /**
+     * Gets the value of the contactPerson property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ContactType }
+     */
+    public List<ContactType> getContactPerson() {
+        return Collections.unmodifiableList(this.contactPerson);
+    }
+
+    /**
+     * Add a {@link AdditionalMetadataLocationType}
+     *
+     * @param amld
+     */
+    public void addAdditionalMetadataLocationType(AdditionalMetadataLocationType amld) {
+        this.additionalMetadataLocation.add(amld);
+    }
+
+    /**
+     * Remove a {@link AdditionalMetadataLocationType}
+     *
+     * @param amld
+     */
+    public void removeAdditionalMetadataLocationType(AdditionalMetadataLocationType amld) {
+        this.additionalMetadataLocation.remove(amld);
+    }
+
+    /**
+     * Gets the value of the additionalMetadataLocation property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * additionalMetadataLocation property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getAdditionalMetadataLocation().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link AdditionalMetadataLocationType }
+     */
+    public List<AdditionalMetadataLocationType> getAdditionalMetadataLocation() {
+        return Collections.unmodifiableList(this.additionalMetadataLocation);
+    }
+
+    /**
+     * Gets the value of the entityID property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getEntityID() {
+        return entityID;
+    }
+
+    /**
+     * Gets the value of the validUntil property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getValidUntil() {
+        return validUntil;
+    }
+
+    /**
+     * Sets the value of the validUntil property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setValidUntil(XMLGregorianCalendar value) {
+        this.validUntil = value;
+    }
+
+    /**
+     * Gets the value of the cacheDuration property.
+     *
+     * @return possible object is {@link Duration }
+     */
+    public Duration getCacheDuration() {
+        return cacheDuration;
+    }
+
+    /**
+     * Sets the value of the cacheDuration property.
+     *
+     * @param value allowed object is {@link Duration }
+     */
+    public void setCacheDuration(Duration value) {
+        this.cacheDuration = value;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getID() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setID(String value) {
+        this.id = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ExtensionsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ExtensionsType.java
new file mode 100755
index 0000000000..1d4f996d07
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/ExtensionsType.java
@@ -0,0 +1,52 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import org.w3c.dom.Element;
+
+/**
+ * <p>
+ * Java class for ExtensionsType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ExtensionsType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ExtensionsType {
+
+    protected Element element = null;
+
+    public Element getElement() {
+        return element;
+    }
+
+    public void setElement(Element element) {
+        this.element = element;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/IDPSSODescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/IDPSSODescriptorType.java
new file mode 100755
index 0000000000..ca3444eafc
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/IDPSSODescriptorType.java
@@ -0,0 +1,233 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for IDPSSODescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="IDPSSODescriptorType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:metadata}SSODescriptorType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}SingleSignOnService" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}NameIDMappingService" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AssertionIDRequestService" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AttributeProfile" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Attribute" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="WantAuthnRequestsSigned" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class IDPSSODescriptorType extends SSODescriptorType {
+
+    protected List<EndpointType> singleSignOnService = new ArrayList<EndpointType>();
+
+    protected List<EndpointType> nameIDMappingService = new ArrayList<EndpointType>();
+
+    protected List<EndpointType> assertionIDRequestService = new ArrayList<EndpointType>();
+
+    protected List<String> attributeProfile = new ArrayList<String>();
+
+    protected List<AttributeType> attribute = new ArrayList<AttributeType>();
+
+    protected Boolean wantAuthnRequestsSigned = false;
+
+    public IDPSSODescriptorType(List<String> protocolSupport) {
+        super(protocolSupport);
+    }
+
+    /**
+     * Add a SSO service
+     *
+     * @param endpt
+     */
+    public void addSingleSignOnService(EndpointType endpt) {
+        this.singleSignOnService.add(endpt);
+    }
+
+    /**
+     * Add name id mapping service
+     *
+     * @param endpt
+     */
+    public void addNameIDMappingService(EndpointType endpt) {
+        this.nameIDMappingService.add(endpt);
+    }
+
+    /**
+     * Add assertion id request service
+     *
+     * @param endpt
+     */
+    public void addAssertionIDRequestService(EndpointType endpt) {
+        this.assertionIDRequestService.add(endpt);
+    }
+
+    /**
+     * Add attribute profile
+     *
+     * @param str
+     */
+    public void addAttributeProfile(String str) {
+        this.attributeProfile.add(str);
+    }
+
+    /**
+     * Add attribute
+     *
+     * @param att
+     */
+    public void addAttribute(AttributeType att) {
+        this.attribute.add(att);
+    }
+
+    /**
+     * Remove a SSO service
+     *
+     * @param endpt
+     */
+    public void removeSingleSignOnService(EndpointType endpt) {
+        this.singleSignOnService.remove(endpt);
+    }
+
+    /**
+     * remove name id mapping service
+     *
+     * @param endpt
+     */
+    public void removeNameIDMappingService(EndpointType endpt) {
+        this.nameIDMappingService.remove(endpt);
+    }
+
+    /**
+     * remove assertion id request service
+     *
+     * @param endpt
+     */
+    public void removeAssertionIDRequestService(EndpointType endpt) {
+        this.assertionIDRequestService.remove(endpt);
+    }
+
+    /**
+     * Add attribute profile
+     *
+     * @param str
+     */
+    public void removeAttributeProfile(String str) {
+        this.attributeProfile.remove(str);
+    }
+
+    /**
+     * Add attribute
+     *
+     * @param att
+     */
+    public void removeAttribute(AttributeType att) {
+        this.attribute.remove(att);
+    }
+
+    /**
+     * Gets the value of the singleSignOnService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getSingleSignOnService() {
+        return Collections.unmodifiableList(this.singleSignOnService);
+    }
+
+    /**
+     * Gets the value of the nameIDMappingService property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getNameIDMappingService() {
+        return Collections.unmodifiableList(this.nameIDMappingService);
+    }
+
+    /**
+     * Gets the value of the assertionIDRequestService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getAssertionIDRequestService() {
+        return Collections.unmodifiableList(this.assertionIDRequestService);
+    }
+
+    /**
+     * Gets the value of the attributeProfile property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * attributeProfile property.
+     *
+     * <p>
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getAttributeProfile() {
+        return Collections.unmodifiableList(this.attributeProfile);
+    }
+
+    /**
+     * Gets the value of the attribute property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link AttributeType }
+     */
+    public List<AttributeType> getAttribute() {
+        return Collections.unmodifiableList(this.attribute);
+    }
+
+    /**
+     * Gets the value of the wantAuthnRequestsSigned property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isWantAuthnRequestsSigned() {
+        return wantAuthnRequestsSigned;
+    }
+
+    /**
+     * Sets the value of the wantAuthnRequestsSigned property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setWantAuthnRequestsSigned(Boolean value) {
+        this.wantAuthnRequestsSigned = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/IndexedEndpointType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/IndexedEndpointType.java
new file mode 100755
index 0000000000..bb42134aee
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/IndexedEndpointType.java
@@ -0,0 +1,81 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for IndexedEndpointType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="IndexedEndpointType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:metadata}EndpointType">
+ *       &lt;attribute name="index" use="required" type="{http://www.w3.org/2001/XMLSchema}unsignedShort" />
+ *       &lt;attribute name="isDefault" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class IndexedEndpointType extends EndpointType {
+
+    protected int index;
+
+    protected Boolean isDefault;
+
+    public IndexedEndpointType(URI binding, URI location) {
+        super(binding, location);
+    }
+
+    /**
+     * Gets the value of the index property.
+     */
+    public int getIndex() {
+        return index;
+    }
+
+    /**
+     * Sets the value of the index property.
+     */
+    public void setIndex(int value) {
+        this.index = value;
+    }
+
+    /**
+     * Gets the value of the isDefault property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isIsDefault() {
+        return isDefault;
+    }
+
+    /**
+     * Sets the value of the isDefault property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setIsDefault(Boolean value) {
+        this.isDefault = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/KeyDescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/KeyDescriptorType.java
new file mode 100755
index 0000000000..d28e7314d1
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/KeyDescriptorType.java
@@ -0,0 +1,119 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import org.keycloak.dom.xmlsec.w3.xmlenc.EncryptionMethodType;
+import org.w3c.dom.Element;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for KeyDescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeyDescriptorType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}KeyInfo"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}EncryptionMethod" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="use" type="{urn:oasis:names:tc:SAML:2.0:metadata}KeyTypes" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class KeyDescriptorType {
+
+    protected Element keyInfo;
+
+    protected List<EncryptionMethodType> encryptionMethod = new ArrayList<EncryptionMethodType>();
+
+    protected KeyTypes use;
+
+    /**
+     * Gets the value of the keyInfo property.
+     *
+     * @return possible object is {@link org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType }
+     */
+    public Element getKeyInfo() {
+        return keyInfo;
+    }
+
+    /**
+     * Sets the value of the keyInfo property.
+     *
+     * @param value allowed object is {@link org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType }
+     */
+    public void setKeyInfo(Element value) {
+        this.keyInfo = value;
+    }
+
+    /**
+     * Add encryption method type
+     *
+     * @param e
+     */
+    public void addEncryptionMethod(EncryptionMethodType e) {
+        this.encryptionMethod.add(e);
+    }
+
+    /**
+     * Remove encryption method type
+     *
+     * @param e
+     */
+    public void removeEncryptionMethod(EncryptionMethodType e) {
+        this.encryptionMethod.remove(e);
+    }
+
+    /**
+     * Gets the value of the encryptionMethod property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EncryptionMethodType }
+     */
+    public List<EncryptionMethodType> getEncryptionMethod() {
+        return Collections.unmodifiableList(this.encryptionMethod);
+    }
+
+    /**
+     * Gets the value of the use property.
+     *
+     * @return possible object is {@link KeyTypes }
+     */
+    public KeyTypes getUse() {
+        return use;
+    }
+
+    /**
+     * Sets the value of the use property.
+     *
+     * @param value allowed object is {@link KeyTypes }
+     */
+    public void setUse(KeyTypes value) {
+        this.use = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/KeyTypes.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/KeyTypes.java
new file mode 100755
index 0000000000..dcb362d4a5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/KeyTypes.java
@@ -0,0 +1,57 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+/**
+ * <p>
+ * Java class for KeyTypes.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="KeyTypes">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}string">
+ *     &lt;enumeration value="encryption"/>
+ *     &lt;enumeration value="signing"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+public enum KeyTypes {
+    ENCRYPTION("encryption"), SIGNING("signing");
+    private final String value;
+
+    KeyTypes(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static KeyTypes fromValue(String v) {
+        for (KeyTypes c : KeyTypes.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/LocalizedNameType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/LocalizedNameType.java
new file mode 100755
index 0000000000..6e4d252ee3
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/LocalizedNameType.java
@@ -0,0 +1,73 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+/**
+ * <p>
+ * Java class for localizedNameType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="localizedNameType">
+ *   &lt;simpleContent>
+ *     &lt;extension base="&lt;http://www.w3.org/2001/XMLSchema>string">
+ *       &lt;attribute ref="{http://www.w3.org/XML/1998/namespace}lang use="required""/>
+ *     &lt;/extension>
+ *   &lt;/simpleContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class LocalizedNameType {
+
+    protected String value;
+
+    protected String lang;
+
+    public LocalizedNameType(String lang) {
+        this.lang = lang;
+    }
+
+    /**
+     * Gets the value of the value property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getValue() {
+        return value;
+    }
+
+    /**
+     * Sets the value of the value property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setValue(String value) {
+        this.value = value;
+    }
+
+    /**
+     * Gets the value of the lang property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getLang() {
+        return lang;
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/LocalizedURIType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/LocalizedURIType.java
new file mode 100755
index 0000000000..103fd0723a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/LocalizedURIType.java
@@ -0,0 +1,75 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for localizedURIType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="localizedURIType">
+ *   &lt;simpleContent>
+ *     &lt;extension base="&lt;http://www.w3.org/2001/XMLSchema>anyURI">
+ *       &lt;attribute ref="{http://www.w3.org/XML/1998/namespace}lang use="required""/>
+ *     &lt;/extension>
+ *   &lt;/simpleContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class LocalizedURIType {
+
+    protected URI value;
+
+    protected String lang;
+
+    public LocalizedURIType(String lang) {
+        this.lang = lang;
+    }
+
+    /**
+     * Gets the value of the value property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getValue() {
+        return value;
+    }
+
+    /**
+     * Sets the value of the value property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setValue(URI value) {
+        this.value = value;
+    }
+
+    /**
+     * Gets the value of the lang property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getLang() {
+        return lang;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/OrganizationType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/OrganizationType.java
new file mode 100755
index 0000000000..7901a1e723
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/OrganizationType.java
@@ -0,0 +1,155 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for OrganizationType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="OrganizationType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}Extensions" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}OrganizationName" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}OrganizationDisplayName" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}OrganizationURL" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+
+public class OrganizationType extends TypeWithOtherAttributes {
+
+    protected ExtensionsType extensions;
+
+    protected List<LocalizedNameType> organizationName = new ArrayList<LocalizedNameType>();
+
+    protected List<LocalizedNameType> organizationDisplayName = new ArrayList<LocalizedNameType>();
+
+    protected List<LocalizedURIType> organizationURL = new ArrayList<LocalizedURIType>();
+
+    /**
+     * Add an organization name
+     *
+     * @param name
+     */
+    public void addOrganizationName(LocalizedNameType name) {
+        this.organizationName.add(name);
+    }
+
+    /**
+     * Add organization display name
+     *
+     * @param name
+     */
+    public void addOrganizationDisplayName(LocalizedNameType name) {
+        this.organizationDisplayName.add(name);
+    }
+
+    /**
+     * Add organization url
+     *
+     * @param uri
+     */
+    public void addOrganizationURL(LocalizedURIType uri) {
+        this.organizationURL.add(uri);
+    }
+
+    /**
+     * remove an organization name
+     *
+     * @param name
+     */
+    public void removeOrganizationName(LocalizedNameType name) {
+        this.organizationName.remove(name);
+    }
+
+    /**
+     * remove organization display name
+     *
+     * @param name
+     */
+    public void removeOrganizationDisplayName(LocalizedNameType name) {
+        this.organizationDisplayName.remove(name);
+    }
+
+    /**
+     * remove organization url
+     *
+     * @param uri
+     */
+    public void removeOrganizationURL(LocalizedURIType uri) {
+        this.organizationURL.remove(uri);
+    }
+
+    /**
+     * Gets the value of the extensions property.
+     *
+     * @return possible object is {@link ExtensionsType }
+     */
+    public ExtensionsType getExtensions() {
+        return extensions;
+    }
+
+    /**
+     * Sets the value of the extensions property.
+     *
+     * @param value allowed object is {@link ExtensionsType }
+     */
+    public void setExtensions(ExtensionsType value) {
+        this.extensions = value;
+    }
+
+    /**
+     * Gets the value of the organizationName property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link LocalizedNameType }
+     */
+    public List<LocalizedNameType> getOrganizationName() {
+        return Collections.unmodifiableList(this.organizationName);
+    }
+
+    /**
+     * Gets the value of the organizationDisplayName property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link LocalizedNameType }
+     */
+    public List<LocalizedNameType> getOrganizationDisplayName() {
+        return Collections.unmodifiableList(this.organizationDisplayName);
+    }
+
+    /**
+     * Gets the value of the organizationURL property.
+     */
+    public List<LocalizedURIType> getOrganizationURL() {
+        return Collections.unmodifiableList(this.organizationURL);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/PDPDescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/PDPDescriptorType.java
new file mode 100755
index 0000000000..0bd79a988d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/PDPDescriptorType.java
@@ -0,0 +1,139 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for PDPDescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PDPDescriptorType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptorType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AuthzService" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AssertionIDRequestService" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class PDPDescriptorType extends RoleDescriptorType {
+
+    protected List<EndpointType> authzService = new ArrayList<EndpointType>();
+
+    protected List<EndpointType> assertionIDRequestService = new ArrayList<EndpointType>();
+
+    protected List<String> nameIDFormat = new ArrayList<String>();
+
+    public PDPDescriptorType(List<String> protocolSupport) {
+        super(protocolSupport);
+    }
+
+    /**
+     * Add authorization service
+     *
+     * @param endpt
+     */
+    public void addAuthZService(EndpointType endpt) {
+        this.authzService.add(endpt);
+    }
+
+    /**
+     * Add assertion id request service
+     *
+     * @param endpt
+     */
+    public void addAssertionIDRequestService(EndpointType endpt) {
+        this.assertionIDRequestService.add(endpt);
+    }
+
+    /**
+     * Add Name ID Format
+     *
+     * @param str
+     */
+    public void addNameIDFormat(String str) {
+        this.nameIDFormat.add(str);
+    }
+
+    /**
+     * remove authorization service
+     *
+     * @param endpt
+     */
+    public void removeAuthZService(EndpointType endpt) {
+        this.authzService.remove(endpt);
+    }
+
+    /**
+     * remove assertion id request service
+     *
+     * @param endpt
+     */
+    public void removeAssertionIDRequestService(EndpointType endpt) {
+        this.assertionIDRequestService.remove(endpt);
+    }
+
+    /**
+     * remove Name ID Format
+     *
+     * @param str
+     */
+    public void removeNameIDFormat(String str) {
+        this.nameIDFormat.remove(str);
+    }
+
+    /**
+     * Gets the value of the authzService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getAuthzService() {
+        return Collections.unmodifiableList(this.authzService);
+    }
+
+    /**
+     * Gets the value of the assertionIDRequestService property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getAssertionIDRequestService() {
+        return Collections.unmodifiableList(this.assertionIDRequestService);
+    }
+
+    /**
+     * Gets the value of the nameIDFormat property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getNameIDFormat() {
+        return Collections.unmodifiableList(this.nameIDFormat);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RequestedAttributeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RequestedAttributeType.java
new file mode 100755
index 0000000000..2d6bb859a0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RequestedAttributeType.java
@@ -0,0 +1,66 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+
+/**
+ * <p>
+ * Java class for RequestedAttributeType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RequestedAttributeType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:assertion}AttributeType">
+ *       &lt;attribute name="isRequired" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class RequestedAttributeType extends AttributeType {
+
+    private static final long serialVersionUID = 1L;
+
+    public RequestedAttributeType(String name) {
+        super(name);
+    }
+
+    protected Boolean isRequired = Boolean.FALSE;
+
+    /**
+     * Gets the value of the isRequired property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isIsRequired() {
+        return isRequired;
+    }
+
+    /**
+     * Sets the value of the isRequired property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setIsRequired(Boolean value) {
+        this.isRequired = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RoleDescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RoleDescriptorType.java
new file mode 100755
index 0000000000..67a366c507
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/RoleDescriptorType.java
@@ -0,0 +1,271 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.Duration;
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for RoleDescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RoleDescriptorType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Signature" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}Extensions" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}KeyDescriptor" maxOccurs="unbounded" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}Organization" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}ContactPerson" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ID" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *       &lt;attribute name="validUntil" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="cacheDuration" type="{http://www.w3.org/2001/XMLSchema}duration" />
+ *       &lt;attribute name="protocolSupportEnumeration" use="required" type="{urn:oasis:names:tc:SAML:2.0:metadata}anyURIListType"
+ * />
+ *       &lt;attribute name="errorURL" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public abstract class RoleDescriptorType extends TypeWithOtherAttributes {
+
+    protected Element signature;
+
+    protected ExtensionsType extensions;
+
+    protected List<KeyDescriptorType> keyDescriptor = new ArrayList<KeyDescriptorType>();
+
+    protected OrganizationType organization;
+
+    protected List<ContactType> contactPerson = new ArrayList<ContactType>();
+
+    protected String id;
+
+    protected XMLGregorianCalendar validUntil;
+
+    protected Duration cacheDuration;
+
+    protected List<String> protocolSupportEnumeration = new ArrayList<String>();
+
+    protected String errorURL;
+
+    public RoleDescriptorType(List<String> protocolSupport) {
+        protocolSupportEnumeration.addAll(protocolSupport);
+    }
+
+    /**
+     * Add key descriptor
+     *
+     * @param keyD
+     */
+    public void addKeyDescriptor(KeyDescriptorType keyD) {
+        this.keyDescriptor.add(keyD);
+    }
+
+    /**
+     * Add contact
+     *
+     * @param contact
+     */
+    public void addContactPerson(ContactType contact) {
+        this.contactPerson.add(contact);
+    }
+
+    /**
+     * remove key descriptor
+     *
+     * @param keyD
+     */
+    public void removeKeyDescriptor(KeyDescriptorType keyD) {
+        this.keyDescriptor.remove(keyD);
+    }
+
+    /**
+     * remove contact
+     *
+     * @param contact
+     */
+    public void removeContactPerson(ContactType contact) {
+        this.contactPerson.remove(contact);
+    }
+
+    /**
+     * Gets the value of the signature property.
+     *
+     * @return possible object is {@link org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType }
+     */
+    public Element getSignature() {
+        return signature;
+    }
+
+    /**
+     * Sets the value of the signature property.
+     *
+     * @param value allowed object is {@link org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType }
+     */
+    public void setSignature(Element value) {
+        this.signature = value;
+    }
+
+    /**
+     * Gets the value of the extensions property.
+     *
+     * @return possible object is {@link ExtensionsType }
+     */
+    public ExtensionsType getExtensions() {
+        return extensions;
+    }
+
+    /**
+     * Sets the value of the extensions property.
+     *
+     * @param value allowed object is {@link ExtensionsType }
+     */
+    public void setExtensions(ExtensionsType value) {
+        this.extensions = value;
+    }
+
+    /**
+     * Gets the value of the keyDescriptor property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link KeyDescriptorType }
+     */
+    public List<KeyDescriptorType> getKeyDescriptor() {
+        return Collections.unmodifiableList(this.keyDescriptor);
+    }
+
+    /**
+     * Gets the value of the organization property.
+     *
+     * @return possible object is {@link OrganizationType }
+     */
+    public OrganizationType getOrganization() {
+        return organization;
+    }
+
+    /**
+     * Sets the value of the organization property.
+     *
+     * @param value allowed object is {@link OrganizationType }
+     */
+    public void setOrganization(OrganizationType value) {
+        this.organization = value;
+    }
+
+    /**
+     * Gets the value of the contactPerson property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ContactType }
+     */
+    public List<ContactType> getContactPerson() {
+        return Collections.unmodifiableList(this.contactPerson);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getID() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setID(String value) {
+        this.id = value;
+    }
+
+    /**
+     * Gets the value of the validUntil property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getValidUntil() {
+        return validUntil;
+    }
+
+    /**
+     * Sets the value of the validUntil property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setValidUntil(XMLGregorianCalendar value) {
+        this.validUntil = value;
+    }
+
+    /**
+     * Gets the value of the cacheDuration property.
+     *
+     * @return possible object is {@link Duration }
+     */
+    public Duration getCacheDuration() {
+        return cacheDuration;
+    }
+
+    /**
+     * Sets the value of the cacheDuration property.
+     *
+     * @param value allowed object is {@link Duration }
+     */
+    public void setCacheDuration(Duration value) {
+        this.cacheDuration = value;
+    }
+
+    /**
+     * Gets the value of the protocolSupportEnumeration property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getProtocolSupportEnumeration() {
+        return Collections.unmodifiableList(this.protocolSupportEnumeration);
+    }
+
+    /**
+     * Gets the value of the errorURL property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getErrorURL() {
+        return errorURL;
+    }
+
+    /**
+     * Sets the value of the errorURL property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setErrorURL(String value) {
+        this.errorURL = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/SPSSODescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/SPSSODescriptorType.java
new file mode 100755
index 0000000000..1f3605b635
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/SPSSODescriptorType.java
@@ -0,0 +1,150 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SPSSODescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SPSSODescriptorType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:metadata}SSODescriptorType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AssertionConsumerService" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}AttributeConsumingService" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="AuthnRequestsSigned" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *       &lt;attribute name="WantAssertionsSigned" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SPSSODescriptorType extends SSODescriptorType {
+
+    protected List<IndexedEndpointType> assertionConsumerService = new ArrayList<IndexedEndpointType>();
+
+    protected List<AttributeConsumingServiceType> attributeConsumingService = new ArrayList<AttributeConsumingServiceType>();
+
+    protected boolean authnRequestsSigned = false;
+
+    protected boolean wantAssertionsSigned = false;
+
+    public SPSSODescriptorType(List<String> protocolSupport) {
+        super(protocolSupport);
+    }
+
+    /**
+     * Add an Assertion Consumer Service
+     *
+     * @param assertionConsumer an endpoint of type {@link IndexedEndpointType}
+     */
+    public void addAssertionConsumerService(IndexedEndpointType assertionConsumer) {
+        this.assertionConsumerService.add(assertionConsumer);
+    }
+
+    /**
+     * Add an attribute consumer
+     *
+     * @param attributeConsumer an instance of type {@link AttributeConsumingServiceType}
+     */
+    public void addAttributeConsumerService(AttributeConsumingServiceType attributeConsumer) {
+        this.attributeConsumingService.add(attributeConsumer);
+    }
+
+    /**
+     * Remove an Assertion Consumer Service
+     *
+     * @param assertionConsumer an endpoint of type {@link IndexedEndpointType}
+     */
+    public void removeAssertionConsumerService(IndexedEndpointType assertionConsumer) {
+        this.assertionConsumerService.remove(assertionConsumer);
+    }
+
+    /**
+     * Remove an attribute consumer
+     *
+     * @param attributeConsumer an instance of type {@link AttributeConsumingServiceType}
+     */
+    public void removeAttributeConsumerService(AttributeConsumingServiceType attributeConsumer) {
+        this.attributeConsumingService.remove(attributeConsumer);
+    }
+
+    /**
+     * Gets the value of the assertionConsumerService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link IndexedEndpointType }
+     */
+    public List<IndexedEndpointType> getAssertionConsumerService() {
+        return Collections.unmodifiableList(this.assertionConsumerService);
+    }
+
+    /**
+     * Gets the value of the attributeConsumingService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link AttributeConsumingServiceType }
+     */
+    public List<AttributeConsumingServiceType> getAttributeConsumingService() {
+        return Collections.unmodifiableList(this.attributeConsumingService);
+    }
+
+    /**
+     * Gets the value of the authnRequestsSigned property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isAuthnRequestsSigned() {
+        return authnRequestsSigned;
+    }
+
+    /**
+     * Sets the value of the authnRequestsSigned property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setAuthnRequestsSigned(Boolean value) {
+        this.authnRequestsSigned = value;
+    }
+
+    /**
+     * Gets the value of the wantAssertionsSigned property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isWantAssertionsSigned() {
+        return wantAssertionsSigned;
+    }
+
+    /**
+     * Sets the value of the wantAssertionsSigned property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setWantAssertionsSigned(Boolean value) {
+        this.wantAssertionsSigned = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/SSODescriptorType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/SSODescriptorType.java
new file mode 100755
index 0000000000..ffab7feb5d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/SSODescriptorType.java
@@ -0,0 +1,170 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SSODescriptorType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SSODescriptorType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:metadata}RoleDescriptorType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}ArtifactResolutionService" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}SingleLogoutService" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}ManageNameIDService" maxOccurs="unbounded"
+ * minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:metadata}NameIDFormat" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public abstract class SSODescriptorType extends RoleDescriptorType {
+
+    protected List<IndexedEndpointType> artifactResolutionService = new ArrayList<IndexedEndpointType>();
+
+    protected List<EndpointType> singleLogoutService = new ArrayList<EndpointType>();
+
+    protected List<EndpointType> manageNameIDService = new ArrayList<EndpointType>();
+
+    protected List<String> nameIDFormat = new ArrayList<String>();
+
+    public SSODescriptorType(List<String> protocolSupport) {
+        super(protocolSupport);
+    }
+
+    /**
+     * Add SLO Service
+     *
+     * @param endpt
+     */
+    public void addSingleLogoutService(EndpointType endpt) {
+        this.singleLogoutService.add(endpt);
+    }
+
+    /**
+     * Add atrifact resolution service
+     *
+     * @param i
+     */
+    public void addArtifactResolutionService(IndexedEndpointType i) {
+        this.artifactResolutionService.add(i);
+    }
+
+    /**
+     * Add manage name id service
+     *
+     * @param end
+     */
+    public void addManageNameIDService(EndpointType end) {
+        this.manageNameIDService.add(end);
+    }
+
+    /**
+     * Add Name ID Format
+     *
+     * @param s
+     */
+    public void addNameIDFormat(String s) {
+        this.nameIDFormat.add(s);
+    }
+
+    /**
+     * remove SLO Service
+     *
+     * @param endpt
+     */
+    public void removeSingleLogoutService(EndpointType endpt) {
+        this.singleLogoutService.remove(endpt);
+    }
+
+    /**
+     * remove atrifact resolution service
+     *
+     * @param i
+     */
+    public void removeArtifactResolutionService(IndexedEndpointType i) {
+        this.artifactResolutionService.remove(i);
+    }
+
+    /**
+     * remove manage name id service
+     *
+     * @param end
+     */
+    public void removeManageNameIDService(EndpointType end) {
+        this.manageNameIDService.remove(end);
+    }
+
+    /**
+     * remove Name ID Format
+     *
+     * @param s
+     */
+    public void removeNameIDFormat(String s) {
+        this.nameIDFormat.remove(s);
+    }
+
+    /**
+     * Gets the value of the artifactResolutionService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link IndexedEndpointType }
+     */
+    public List<IndexedEndpointType> getArtifactResolutionService() {
+        return Collections.unmodifiableList(this.artifactResolutionService);
+    }
+
+    /**
+     * Gets the value of the singleLogoutService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getSingleLogoutService() {
+        return Collections.unmodifiableList(this.singleLogoutService);
+    }
+
+    /**
+     * Gets the value of the manageNameIDService property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EndpointType }
+     */
+    public List<EndpointType> getManageNameIDService() {
+        return Collections.unmodifiableList(this.manageNameIDService);
+    }
+
+    /**
+     * Gets the value of the nameIDFormat property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getNameIDFormat() {
+        return Collections.unmodifiableList(this.nameIDFormat);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/TypeWithOtherAttributes.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/TypeWithOtherAttributes.java
new file mode 100755
index 0000000000..e261e7efe2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/TypeWithOtherAttributes.java
@@ -0,0 +1,63 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
+import javax.xml.namespace.QName;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Abstract base class for types that can have extra attributes
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 10, 2010
+ */
+public abstract class TypeWithOtherAttributes {
+
+    protected Map<QName, String> otherAttributes = new HashMap<QName, String>();
+
+    /**
+     * Add other attribute
+     *
+     * @param qame
+     * @param value
+     */
+    public void addOtherAttribute(QName qame, String value) {
+        otherAttributes.put(qame, value);
+    }
+
+    /**
+     * Remove other attribute
+     *
+     * @param qame
+     * @param value
+     */
+    public void removeOtherAttribute(QName qame) {
+        otherAttributes.remove(qame);
+    }
+
+    /**
+     * Gets a map that contains attributes that aren't bound to any typed property on this class.
+     *
+     * @return always non-null
+     */
+    public Map<QName, String> getOtherAttributes() {
+        return Collections.unmodifiableMap(otherAttributes);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/package-info.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/package-info.java
new file mode 100755
index 0000000000..1423071e92
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/metadata/package-info.java
@@ -0,0 +1,19 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.metadata;
+
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/attribute/dce/DCEValueType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/attribute/dce/DCEValueType.java
new file mode 100755
index 0000000000..f2c92b4db7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/attribute/dce/DCEValueType.java
@@ -0,0 +1,99 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.profiles.attribute.dce;
+
+/**
+ * <p>
+ * Java class for DCEValueType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="DCEValueType">
+ *   &lt;simpleContent>
+ *     &lt;extension base="&lt;http://www.w3.org/2001/XMLSchema>anyURI">
+ *       &lt;attribute ref="{urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE}Realm"/>
+ *       &lt;attribute ref="{urn:oasis:names:tc:SAML:2.0:profiles:attribute:DCE}FriendlyName"/>
+ *     &lt;/extension>
+ *   &lt;/simpleContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class DCEValueType {
+
+    protected String value;
+    protected String realm;
+    protected String friendlyName;
+
+    /**
+     * Gets the value of the value property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getValue() {
+        return value;
+    }
+
+    /**
+     * Sets the value of the value property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setValue(String value) {
+        this.value = value;
+    }
+
+    /**
+     * Gets the value of the realm property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getRealm() {
+        return realm;
+    }
+
+    /**
+     * Sets the value of the realm property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setRealm(String value) {
+        this.realm = value;
+    }
+
+    /**
+     * Gets the value of the friendlyName property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getFriendlyName() {
+        return friendlyName;
+    }
+
+    /**
+     * Sets the value of the friendlyName property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setFriendlyName(String value) {
+        this.friendlyName = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/attribute/dce/package-info.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/attribute/dce/package-info.java
new file mode 100755
index 0000000000..69778c83df
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/attribute/dce/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.profiles.attribute.dce;
+
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/RelayStateType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/RelayStateType.java
new file mode 100755
index 0000000000..f7a43f6b37
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/RelayStateType.java
@@ -0,0 +1,99 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.profiles.sso.ecp;
+
+/**
+ * <p>
+ * Java class for RelayStateType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RelayStateType">
+ *   &lt;simpleContent>
+ *     &lt;extension base="&lt;http://www.w3.org/2001/XMLSchema>string">
+ *       &lt;attribute ref="{http://schemas.xmlsoap.org/soap/envelope/}mustUnderstand use="required""/>
+ *       &lt;attribute ref="{http://schemas.xmlsoap.org/soap/envelope/}actor use="required""/>
+ *     &lt;/extension>
+ *   &lt;/simpleContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class RelayStateType {
+
+    protected String value;
+    protected Boolean mustUnderstand = Boolean.FALSE;
+    protected String actor;
+
+    /**
+     * Gets the value of the value property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getValue() {
+        return value;
+    }
+
+    /**
+     * Sets the value of the value property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setValue(String value) {
+        this.value = value;
+    }
+
+    /**
+     * Gets the value of the mustUnderstand property.
+     *
+     * @return possible object is {@link String }
+     */
+    public Boolean isMustUnderstand() {
+        return mustUnderstand;
+    }
+
+    /**
+     * Sets the value of the mustUnderstand property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMustUnderstand(Boolean value) {
+        this.mustUnderstand = value;
+    }
+
+    /**
+     * Gets the value of the actor property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getActor() {
+        return actor;
+    }
+
+    /**
+     * Sets the value of the actor property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setActor(String value) {
+        this.actor = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/RequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/RequestType.java
new file mode 100755
index 0000000000..754b982de5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/RequestType.java
@@ -0,0 +1,165 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.profiles.sso.ecp;
+
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.IDPListType;
+
+/**
+ * <p>
+ * Java class for RequestType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RequestType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Issuer"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}IDPList" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute ref="{http://schemas.xmlsoap.org/soap/envelope/}mustUnderstand use="required""/>
+ *       &lt;attribute ref="{http://schemas.xmlsoap.org/soap/envelope/}actor use="required""/>
+ *       &lt;attribute name="ProviderName" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="IsPassive" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class RequestType {
+
+    protected NameIDType issuer;
+    protected IDPListType idpList;
+    protected Boolean mustUnderstand = Boolean.FALSE;
+    protected String actor;
+    protected String providerName;
+    protected Boolean isPassive = Boolean.FALSE;
+
+    /**
+     * Gets the value of the issuer property.
+     *
+     * @return possible object is {@link NameIDType }
+     */
+    public NameIDType getIssuer() {
+        return issuer;
+    }
+
+    /**
+     * Sets the value of the issuer property.
+     *
+     * @param value allowed object is {@link NameIDType }
+     */
+    public void setIssuer(NameIDType value) {
+        this.issuer = value;
+    }
+
+    /**
+     * Gets the value of the idpList property.
+     *
+     * @return possible object is {@link IDPListType }
+     */
+    public IDPListType getIDPList() {
+        return idpList;
+    }
+
+    /**
+     * Sets the value of the idpList property.
+     *
+     * @param value allowed object is {@link IDPListType }
+     */
+    public void setIDPList(IDPListType value) {
+        this.idpList = value;
+    }
+
+    /**
+     * Gets the value of the mustUnderstand property.
+     *
+     * @return possible object is {@link String }
+     */
+    public Boolean isMustUnderstand() {
+        return mustUnderstand;
+    }
+
+    /**
+     * Sets the value of the mustUnderstand property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMustUnderstand(Boolean value) {
+        this.mustUnderstand = value;
+    }
+
+    /**
+     * Gets the value of the actor property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getActor() {
+        return actor;
+    }
+
+    /**
+     * Sets the value of the actor property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setActor(String value) {
+        this.actor = value;
+    }
+
+    /**
+     * Gets the value of the providerName property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getProviderName() {
+        return providerName;
+    }
+
+    /**
+     * Sets the value of the providerName property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setProviderName(String value) {
+        this.providerName = value;
+    }
+
+    /**
+     * Gets the value of the isPassive property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isIsPassive() {
+        return isPassive;
+    }
+
+    /**
+     * Sets the value of the isPassive property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setIsPassive(Boolean value) {
+        this.isPassive = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/ResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/ResponseType.java
new file mode 100755
index 0000000000..bb2755ce29
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/ResponseType.java
@@ -0,0 +1,101 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.profiles.sso.ecp;
+
+/**
+ * <p>
+ * Java class for ResponseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ResponseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute ref="{http://schemas.xmlsoap.org/soap/envelope/}mustUnderstand use="required""/>
+ *       &lt;attribute ref="{http://schemas.xmlsoap.org/soap/envelope/}actor use="required""/>
+ *       &lt;attribute name="AssertionConsumerServiceURL" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI"
+ * />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ResponseType {
+
+    protected Boolean mustUnderstand = Boolean.FALSE;
+    protected String actor;
+    protected String assertionConsumerServiceURL;
+
+    /**
+     * Gets the value of the mustUnderstand property.
+     *
+     * @return possible object is {@link String }
+     */
+    public Boolean isMustUnderstand() {
+        return mustUnderstand;
+    }
+
+    /**
+     * Sets the value of the mustUnderstand property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMustUnderstand(Boolean value) {
+        this.mustUnderstand = value;
+    }
+
+    /**
+     * Gets the value of the actor property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getActor() {
+        return actor;
+    }
+
+    /**
+     * Sets the value of the actor property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setActor(String value) {
+        this.actor = value;
+    }
+
+    /**
+     * Gets the value of the assertionConsumerServiceURL property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getAssertionConsumerServiceURL() {
+        return assertionConsumerServiceURL;
+    }
+
+    /**
+     * Sets the value of the assertionConsumerServiceURL property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setAssertionConsumerServiceURL(String value) {
+        this.assertionConsumerServiceURL = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/package-info.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/package-info.java
new file mode 100755
index 0000000000..062ca36fec
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/profiles/sso/ecp/package-info.java
@@ -0,0 +1,20 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.saml.v2.profiles.sso.ecp;
+
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResolveType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResolveType.java
new file mode 100755
index 0000000000..6d6f3edc6b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResolveType.java
@@ -0,0 +1,69 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+/**
+ * <p>
+ * Java class for ArtifactResolveType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ArtifactResolveType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}RequestAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}Artifact"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ArtifactResolveType extends RequestAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected String artifact;
+
+    public ArtifactResolveType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Gets the value of the artifact property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getArtifact() {
+        return artifact;
+    }
+
+    /**
+     * Sets the value of the artifact property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setArtifact(String value) {
+        this.artifact = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResponseType.java
new file mode 100755
index 0000000000..8ec699c639
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ArtifactResponseType.java
@@ -0,0 +1,73 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+/**
+ * <p>
+ * Java class for ArtifactResponseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ArtifactResponseType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}StatusResponseType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ArtifactResponseType extends StatusResponseType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected Object any;
+
+    public ArtifactResponseType(String id, XMLGregorianCalendar issueInstant) {
+        super(id, issueInstant);
+    }
+
+    public ArtifactResponseType(StatusResponseType srt) {
+        super(srt);
+    }
+
+    /**
+     * Gets the value of the any property.
+     *
+     * @return possible object is {@link org.w3c.dom.Element } {@link Object }
+     */
+    public Object getAny() {
+        return any;
+    }
+
+    /**
+     * Sets the value of the any property.
+     *
+     * @param value allowed object is {@link org.w3c.dom.Element } {@link Object }
+     */
+    public void setAny(Object value) {
+        this.any = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AssertionIDRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AssertionIDRequestType.java
new file mode 100755
index 0000000000..4f3e9464aa
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AssertionIDRequestType.java
@@ -0,0 +1,78 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AssertionIDRequestType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AssertionIDRequestType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}RequestAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AssertionIDRef" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AssertionIDRequestType extends RequestAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<String> assertionIDRef = new ArrayList<String>();
+
+    public AssertionIDRequestType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Add assertion id reference
+     *
+     * @param id
+     */
+    public void addAssertionIDRef(String id) {
+        assertionIDRef.add(id);
+    }
+
+    /**
+     * remove assertion id reference
+     *
+     * @param id
+     */
+    public void removeAssertionIDRef(String id) {
+        assertionIDRef.remove(id);
+    }
+
+    /**
+     * Gets the value of the assertionIDRef property.
+     */
+    public List<String> getAssertionIDRef() {
+        return Collections.unmodifiableList(this.assertionIDRef);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AttributeQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AttributeQueryType.java
new file mode 100755
index 0000000000..9f706a5af4
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AttributeQueryType.java
@@ -0,0 +1,80 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AttributeQueryType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AttributeQueryType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}SubjectQueryAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Attribute" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AttributeQueryType extends SubjectQueryAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<AttributeType> attribute = new ArrayList<AttributeType>();
+
+    public AttributeQueryType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Add an attribute
+     *
+     * @param att
+     */
+    public void add(AttributeType att) {
+        this.attribute.add(att);
+    }
+
+    /**
+     * Remove an attribute
+     *
+     * @param att
+     */
+    public void remove(AttributeType att) {
+        this.attribute.remove(att);
+    }
+
+    /**
+     * Gets the value of the attribute property.
+     */
+    public List<AttributeType> getAttribute() {
+        return Collections.unmodifiableList(this.attribute);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnContextComparisonType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnContextComparisonType.java
new file mode 100755
index 0000000000..7c691a5040
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnContextComparisonType.java
@@ -0,0 +1,60 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+/**
+ * <p>
+ * Java class for AuthnContextComparisonType.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ * <p>
+ *
+ * <pre>
+ * &lt;simpleType name="AuthnContextComparisonType">
+ *   &lt;restriction base="{http://www.w3.org/2001/XMLSchema}string">
+ *     &lt;enumeration value="exact"/>
+ *     &lt;enumeration value="minimum"/>
+ *     &lt;enumeration value="maximum"/>
+ *     &lt;enumeration value="better"/>
+ *   &lt;/restriction>
+ * &lt;/simpleType>
+ * </pre>
+ */
+public enum AuthnContextComparisonType {
+    EXACT("exact"), MINIMUM("minimum"), MAXIMUM("maximum"), BETTER("better");
+
+    private final String value;
+
+    AuthnContextComparisonType(String v) {
+        value = v;
+    }
+
+    public String value() {
+        return value;
+    }
+
+    public static AuthnContextComparisonType fromValue(String v) {
+        for (AuthnContextComparisonType c : AuthnContextComparisonType.values()) {
+            if (c.value.equals(v)) {
+                return c;
+            }
+        }
+        throw new IllegalArgumentException(v);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnQueryType.java
new file mode 100755
index 0000000000..d6951ebff7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnQueryType.java
@@ -0,0 +1,89 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+/**
+ * <p>
+ * Java class for AuthnQueryType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnQueryType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}SubjectQueryAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}RequestedAuthnContext" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="SessionIndex" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthnQueryType extends SubjectQueryAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected RequestedAuthnContextType requestedAuthnContext;
+
+    protected String sessionIndex;
+
+    public AuthnQueryType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Gets the value of the requestedAuthnContext property.
+     *
+     * @return possible object is {@link RequestedAuthnContextType }
+     */
+    public RequestedAuthnContextType getRequestedAuthnContext() {
+        return requestedAuthnContext;
+    }
+
+    /**
+     * Sets the value of the requestedAuthnContext property.
+     *
+     * @param value allowed object is {@link RequestedAuthnContextType }
+     */
+    public void setRequestedAuthnContext(RequestedAuthnContextType value) {
+        this.requestedAuthnContext = value;
+    }
+
+    /**
+     * Gets the value of the sessionIndex property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getSessionIndex() {
+        return sessionIndex;
+    }
+
+    /**
+     * Sets the value of the sessionIndex property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setSessionIndex(String value) {
+        this.sessionIndex = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnRequestType.java
new file mode 100755
index 0000000000..aa6c8d9d8d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthnRequestType.java
@@ -0,0 +1,324 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for AuthnRequestType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthnRequestType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}RequestAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Subject" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}NameIDPolicy" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Conditions" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}RequestedAuthnContext" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}Scoping" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ForceAuthn" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *       &lt;attribute name="IsPassive" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *       &lt;attribute name="ProtocolBinding" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="AssertionConsumerServiceIndex" type="{http://www.w3.org/2001/XMLSchema}unsignedShort" />
+ *       &lt;attribute name="AssertionConsumerServiceURL" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="AttributeConsumingServiceIndex" type="{http://www.w3.org/2001/XMLSchema}unsignedShort" />
+ *       &lt;attribute name="ProviderName" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthnRequestType extends RequestAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected SubjectType subject;
+
+    protected NameIDPolicyType nameIDPolicy;
+
+    protected ConditionsType conditions;
+
+    protected RequestedAuthnContextType requestedAuthnContext;
+
+    protected ScopingType scoping;
+
+    protected Boolean forceAuthn = Boolean.FALSE;
+
+    protected Boolean isPassive = Boolean.FALSE;
+
+    protected URI protocolBinding;
+
+    protected Integer assertionConsumerServiceIndex;
+
+    protected URI assertionConsumerServiceURL;
+
+    protected Integer attributeConsumingServiceIndex;
+
+    protected String providerName;
+
+    public AuthnRequestType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Gets the value of the subject property.
+     *
+     * @return possible object is {@link SubjectType }
+     */
+    public SubjectType getSubject() {
+        return subject;
+    }
+
+    /**
+     * Sets the value of the subject property.
+     *
+     * @param value allowed object is {@link SubjectType }
+     */
+    public void setSubject(SubjectType value) {
+        this.subject = value;
+    }
+
+    /**
+     * Gets the value of the nameIDPolicy property.
+     *
+     * @return possible object is {@link NameIDPolicyType }
+     */
+    public NameIDPolicyType getNameIDPolicy() {
+        return nameIDPolicy;
+    }
+
+    /**
+     * Sets the value of the nameIDPolicy property.
+     *
+     * @param value allowed object is {@link NameIDPolicyType }
+     */
+    public void setNameIDPolicy(NameIDPolicyType value) {
+        this.nameIDPolicy = value;
+    }
+
+    /**
+     * Gets the value of the conditions property.
+     *
+     * @return possible object is {@link ConditionsType }
+     */
+    public ConditionsType getConditions() {
+        return conditions;
+    }
+
+    /**
+     * Sets the value of the conditions property.
+     *
+     * @param value allowed object is {@link ConditionsType }
+     */
+    public void setConditions(ConditionsType value) {
+        this.conditions = value;
+    }
+
+    /**
+     * Gets the value of the requestedAuthnContext property.
+     *
+     * @return possible object is {@link RequestedAuthnContextType }
+     */
+    public RequestedAuthnContextType getRequestedAuthnContext() {
+        return requestedAuthnContext;
+    }
+
+    /**
+     * Sets the value of the requestedAuthnContext property.
+     *
+     * @param value allowed object is {@link RequestedAuthnContextType }
+     */
+    public void setRequestedAuthnContext(RequestedAuthnContextType value) {
+        this.requestedAuthnContext = value;
+    }
+
+    /**
+     * Gets the value of the scoping property.
+     *
+     * @return possible object is {@link ScopingType }
+     */
+    public ScopingType getScoping() {
+        return scoping;
+    }
+
+    /**
+     * Sets the value of the scoping property.
+     *
+     * @param value allowed object is {@link ScopingType }
+     */
+    public void setScoping(ScopingType value) {
+        this.scoping = value;
+    }
+
+    /**
+     * Gets the value of the forceAuthn property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isForceAuthn() {
+        return forceAuthn;
+    }
+
+    /**
+     * Sets the value of the forceAuthn property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setForceAuthn(Boolean value) {
+        this.forceAuthn = value;
+    }
+
+    /**
+     * Gets the value of the isPassive property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isIsPassive() {
+        return isPassive;
+    }
+
+    /**
+     * Sets the value of the isPassive property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setIsPassive(Boolean value) {
+        this.isPassive = value;
+    }
+
+    /**
+     * Gets the value of the protocolBinding property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getProtocolBinding() {
+        return protocolBinding;
+    }
+
+    /**
+     * Sets the value of the protocolBinding property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setProtocolBinding(URI value) {
+        this.protocolBinding = value;
+    }
+
+    /**
+     * Gets the value of the assertionConsumerServiceIndex property.
+     *
+     * @return possible object is {@link Integer }
+     */
+    public Integer getAssertionConsumerServiceIndex() {
+        return assertionConsumerServiceIndex;
+    }
+
+    /**
+     * Sets the value of the assertionConsumerServiceIndex property.
+     *
+     * @param value allowed object is {@link Integer }
+     */
+    public void setAssertionConsumerServiceIndex(Integer value) {
+        this.assertionConsumerServiceIndex = value;
+    }
+
+    /**
+     * Gets the value of the assertionConsumerServiceURL property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getAssertionConsumerServiceURL() {
+        return assertionConsumerServiceURL;
+    }
+
+    /**
+     * Sets the value of the assertionConsumerServiceURL property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setAssertionConsumerServiceURL(URI value) {
+        this.assertionConsumerServiceURL = value;
+    }
+
+    /**
+     * Gets the value of the attributeConsumingServiceIndex property.
+     *
+     * @return possible object is {@link Integer }
+     */
+    public Integer getAttributeConsumingServiceIndex() {
+        return attributeConsumingServiceIndex;
+    }
+
+    /**
+     * Sets the value of the attributeConsumingServiceIndex property.
+     *
+     * @param value allowed object is {@link Integer }
+     */
+    public void setAttributeConsumingServiceIndex(Integer value) {
+        this.attributeConsumingServiceIndex = value;
+    }
+
+    /**
+     * Gets the value of the providerName property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getProviderName() {
+        return providerName;
+    }
+
+    /**
+     * Sets the value of the providerName property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setProviderName(String value) {
+        this.providerName = value;
+    }
+
+    public URI getSenderURL() {
+        URI assertionConsumerServiceURL = getAssertionConsumerServiceURL();
+
+        if (assertionConsumerServiceURL != null) {
+            return assertionConsumerServiceURL;
+        }
+
+        NameIDType issuer = getIssuer();
+
+        try {
+            if (issuer != null) {
+                return URI.create(issuer.getValue());
+            }
+        } catch (Exception e) {
+            throw new RuntimeException("Could not resolve sender URL using the Issuer value [" + issuer.getValue() + "]." , e);
+        }
+
+        throw new RuntimeException("Could not resolve sender URL. AuthnRequest must have a value for AssertionConsumerServiceURL or Issuer.");
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthzDecisionQueryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthzDecisionQueryType.java
new file mode 100755
index 0000000000..20ee1b9776
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/AuthzDecisionQueryType.java
@@ -0,0 +1,124 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.v2.assertion.ActionType;
+import org.keycloak.dom.saml.v2.assertion.EvidenceType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for AuthzDecisionQueryType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AuthzDecisionQueryType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}SubjectQueryAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Action" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Evidence" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Resource" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AuthzDecisionQueryType extends SubjectQueryAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<ActionType> action = new ArrayList<ActionType>();
+
+    protected EvidenceType evidence;
+
+    protected URI resource;
+
+    public AuthzDecisionQueryType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Add an action
+     *
+     * @param act
+     */
+    public void addAction(ActionType act) {
+        this.action.add(act);
+    }
+
+    /**
+     * Remove an action
+     *
+     * @param act
+     */
+    public void removeAction(ActionType act) {
+        this.action.remove(act);
+    }
+
+    /**
+     * Gets the value of the action property.
+     */
+    public List<ActionType> getAction() {
+        return Collections.unmodifiableList(this.action);
+    }
+
+    /**
+     * Gets the value of the evidence property.
+     *
+     * @return possible object is {@link EvidenceType }
+     */
+    public EvidenceType getEvidence() {
+        return evidence;
+    }
+
+    /**
+     * Sets the value of the evidence property.
+     *
+     * @param value allowed object is {@link EvidenceType }
+     */
+    public void setEvidence(EvidenceType value) {
+        this.evidence = value;
+    }
+
+    /**
+     * Gets the value of the resource property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getResource() {
+        return resource;
+    }
+
+    /**
+     * Sets the value of the resource property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setResource(URI value) {
+        this.resource = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ExtensionsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ExtensionsType.java
new file mode 100755
index 0000000000..1ade2792b8
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ExtensionsType.java
@@ -0,0 +1,71 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ExtensionsType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ExtensionsType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ExtensionsType {
+
+    protected List<Object> any = new ArrayList<Object>();
+
+    /**
+     * Add an extension
+     *
+     * @param extension
+     */
+    public void addExtension(Object extension) {
+        any.add(extension);
+    }
+
+    /**
+     * Remove an extension
+     *
+     * @param extension
+     */
+    public void removeExtension(Object extension) {
+        any.remove(extension);
+    }
+
+    /**
+     * Gets the value of the any property.
+     */
+    public List<Object> getAny() {
+        return Collections.unmodifiableList(this.any);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/IDPEntryType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/IDPEntryType.java
new file mode 100755
index 0000000000..81f741847d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/IDPEntryType.java
@@ -0,0 +1,101 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for IDPEntryType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="IDPEntryType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="ProviderID" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="Name" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="Loc" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class IDPEntryType {
+
+    protected URI providerID;
+    protected String name;
+    protected String loc;
+
+    /**
+     * Gets the value of the providerID property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getProviderID() {
+        return providerID;
+    }
+
+    /**
+     * Sets the value of the providerID property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setProviderID(URI value) {
+        this.providerID = value;
+    }
+
+    /**
+     * Gets the value of the name property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getName() {
+        return name;
+    }
+
+    /**
+     * Sets the value of the name property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setName(String value) {
+        this.name = value;
+    }
+
+    /**
+     * Gets the value of the loc property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getLoc() {
+        return loc;
+    }
+
+    /**
+     * Sets the value of the loc property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setLoc(String value) {
+        this.loc = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/IDPListType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/IDPListType.java
new file mode 100755
index 0000000000..fe1dbb8145
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/IDPListType.java
@@ -0,0 +1,93 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for IDPListType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="IDPListType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}IDPEntry" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}GetComplete" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class IDPListType {
+
+    protected List<IDPEntryType> idpEntry = new ArrayList<IDPEntryType>();
+    protected URI getComplete;
+
+    /**
+     * Add an idp entry
+     *
+     * @param entry
+     */
+    public void addIDPEntry(IDPEntryType entry) {
+        this.idpEntry.add(entry);
+    }
+
+    /**
+     * Remove an idp entry
+     *
+     * @param entry
+     */
+    public void removeIDPEntry(IDPEntryType entry) {
+        this.idpEntry.remove(entry);
+    }
+
+    /**
+     * Gets the value of the idpEntry property.
+     */
+    public List<IDPEntryType> getIDPEntry() {
+        return Collections.unmodifiableList(this.idpEntry);
+    }
+
+    /**
+     * Gets the value of the getComplete property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getGetComplete() {
+        return getComplete;
+    }
+
+    /**
+     * Sets the value of the getComplete property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setGetComplete(URI value) {
+        this.getComplete = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/LogoutRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/LogoutRequestType.java
new file mode 100755
index 0000000000..7249481056
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/LogoutRequestType.java
@@ -0,0 +1,190 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.v2.assertion.BaseIDAbstractType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedElementType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for LogoutRequestType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="LogoutRequestType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}RequestAbstractType">
+ *       &lt;sequence>
+ *         &lt;choice>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}BaseID"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}NameID"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedID"/>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}SessionIndex" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Reason" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="NotOnOrAfter" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class LogoutRequestType extends RequestAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected BaseIDAbstractType baseID;
+
+    protected NameIDType nameID;
+
+    protected EncryptedElementType encryptedID;
+
+    protected List<String> sessionIndex = new ArrayList<String>();
+
+    protected String reason;
+
+    protected XMLGregorianCalendar notOnOrAfter;
+
+    public LogoutRequestType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Gets the value of the baseID property.
+     *
+     * @return possible object is {@link BaseIDAbstractType }
+     */
+    public BaseIDAbstractType getBaseID() {
+        return baseID;
+    }
+
+    /**
+     * Sets the value of the baseID property.
+     *
+     * @param value allowed object is {@link BaseIDAbstractType }
+     */
+    public void setBaseID(BaseIDAbstractType value) {
+        this.baseID = value;
+    }
+
+    /**
+     * Gets the value of the nameID property.
+     *
+     * @return possible object is {@link NameIDType }
+     */
+    public NameIDType getNameID() {
+        return nameID;
+    }
+
+    /**
+     * Sets the value of the nameID property.
+     *
+     * @param value allowed object is {@link NameIDType }
+     */
+    public void setNameID(NameIDType value) {
+        this.nameID = value;
+    }
+
+    /**
+     * Gets the value of the encryptedID property.
+     *
+     * @return possible object is {@link EncryptedElementType }
+     */
+    public EncryptedElementType getEncryptedID() {
+        return encryptedID;
+    }
+
+    /**
+     * Sets the value of the encryptedID property.
+     *
+     * @param value allowed object is {@link EncryptedElementType }
+     */
+    public void setEncryptedID(EncryptedElementType value) {
+        this.encryptedID = value;
+    }
+
+    /**
+     * Add session index
+     *
+     * @param index
+     */
+    public void addSessionIndex(String index) {
+        this.sessionIndex.add(index);
+    }
+
+    /**
+     * Remove session index
+     *
+     * @param index
+     */
+    public void removeSessionIndex(String index) {
+        this.sessionIndex.remove(index);
+    }
+
+    /**
+     * Gets the value of the sessionIndex property.
+     */
+    public List<String> getSessionIndex() {
+        return Collections.unmodifiableList(this.sessionIndex);
+    }
+
+    /**
+     * Gets the value of the reason property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getReason() {
+        return reason;
+    }
+
+    /**
+     * Sets the value of the reason property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setReason(String value) {
+        this.reason = value;
+    }
+
+    /**
+     * Gets the value of the notOnOrAfter property.
+     *
+     * @return possible object is {@link XMLGregorianCalendar }
+     */
+    public XMLGregorianCalendar getNotOnOrAfter() {
+        return notOnOrAfter;
+    }
+
+    /**
+     * Sets the value of the notOnOrAfter property.
+     *
+     * @param value allowed object is {@link XMLGregorianCalendar }
+     */
+    public void setNotOnOrAfter(XMLGregorianCalendar value) {
+        this.notOnOrAfter = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ManageNameIDRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ManageNameIDRequestType.java
new file mode 100755
index 0000000000..c798d12f95
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ManageNameIDRequestType.java
@@ -0,0 +1,160 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.v2.assertion.EncryptedElementType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+/**
+ * <p>
+ * Java class for ManageNameIDRequestType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ManageNameIDRequestType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}RequestAbstractType">
+ *       &lt;sequence>
+ *         &lt;choice>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}NameID"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedID"/>
+ *         &lt;/choice>
+ *         &lt;choice>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}NewID"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}NewEncryptedID"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}Terminate"/>
+ *         &lt;/choice>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ManageNameIDRequestType extends RequestAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected NameIDType nameID;
+
+    protected EncryptedElementType encryptedID;
+
+    protected String newID;
+
+    protected EncryptedElementType newEncryptedID;
+
+    protected TerminateType terminate;
+
+    public ManageNameIDRequestType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Gets the value of the nameID property.
+     *
+     * @return possible object is {@link NameIDType }
+     */
+    public NameIDType getNameID() {
+        return nameID;
+    }
+
+    /**
+     * Sets the value of the nameID property.
+     *
+     * @param value allowed object is {@link NameIDType }
+     */
+    public void setNameID(NameIDType value) {
+        this.nameID = value;
+    }
+
+    /**
+     * Gets the value of the encryptedID property.
+     *
+     * @return possible object is {@link EncryptedElementType }
+     */
+    public EncryptedElementType getEncryptedID() {
+        return encryptedID;
+    }
+
+    /**
+     * Sets the value of the encryptedID property.
+     *
+     * @param value allowed object is {@link EncryptedElementType }
+     */
+    public void setEncryptedID(EncryptedElementType value) {
+        this.encryptedID = value;
+    }
+
+    /**
+     * Gets the value of the newID property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getNewID() {
+        return newID;
+    }
+
+    /**
+     * Sets the value of the newID property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setNewID(String value) {
+        this.newID = value;
+    }
+
+    /**
+     * Gets the value of the newEncryptedID property.
+     *
+     * @return possible object is {@link EncryptedElementType }
+     */
+    public EncryptedElementType getNewEncryptedID() {
+        return newEncryptedID;
+    }
+
+    /**
+     * Sets the value of the newEncryptedID property.
+     *
+     * @param value allowed object is {@link EncryptedElementType }
+     */
+    public void setNewEncryptedID(EncryptedElementType value) {
+        this.newEncryptedID = value;
+    }
+
+    /**
+     * Gets the value of the terminate property.
+     *
+     * @return possible object is {@link TerminateType }
+     */
+    public TerminateType getTerminate() {
+        return terminate;
+    }
+
+    /**
+     * Sets the value of the terminate property.
+     *
+     * @param value allowed object is {@link TerminateType }
+     */
+    public void setTerminate(TerminateType value) {
+        this.terminate = value;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingRequestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingRequestType.java
new file mode 100755
index 0000000000..d2b77b503d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingRequestType.java
@@ -0,0 +1,137 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.v2.assertion.BaseIDAbstractType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedElementType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+/**
+ * <p>
+ * Java class for NameIDMappingRequestType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="NameIDMappingRequestType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}RequestAbstractType">
+ *       &lt;sequence>
+ *         &lt;choice>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}BaseID"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}NameID"/>
+ *           &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedID"/>
+ *         &lt;/choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}NameIDPolicy"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class NameIDMappingRequestType extends RequestAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected BaseIDAbstractType baseID;
+
+    protected NameIDType nameID;
+
+    protected EncryptedElementType encryptedID;
+
+    protected NameIDPolicyType nameIDPolicy;
+
+    public NameIDMappingRequestType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Gets the value of the baseID property.
+     *
+     * @return possible object is {@link BaseIDAbstractType }
+     */
+    public BaseIDAbstractType getBaseID() {
+        return baseID;
+    }
+
+    /**
+     * Sets the value of the baseID property.
+     *
+     * @param value allowed object is {@link BaseIDAbstractType }
+     */
+    public void setBaseID(BaseIDAbstractType value) {
+        this.baseID = value;
+    }
+
+    /**
+     * Gets the value of the nameID property.
+     *
+     * @return possible object is {@link NameIDType }
+     */
+    public NameIDType getNameID() {
+        return nameID;
+    }
+
+    /**
+     * Sets the value of the nameID property.
+     *
+     * @param value allowed object is {@link NameIDType }
+     */
+    public void setNameID(NameIDType value) {
+        this.nameID = value;
+    }
+
+    /**
+     * Gets the value of the encryptedID property.
+     *
+     * @return possible object is {@link EncryptedElementType }
+     */
+    public EncryptedElementType getEncryptedID() {
+        return encryptedID;
+    }
+
+    /**
+     * Sets the value of the encryptedID property.
+     *
+     * @param value allowed object is {@link EncryptedElementType }
+     */
+    public void setEncryptedID(EncryptedElementType value) {
+        this.encryptedID = value;
+    }
+
+    /**
+     * Gets the value of the nameIDPolicy property.
+     *
+     * @return possible object is {@link NameIDPolicyType }
+     */
+    public NameIDPolicyType getNameIDPolicy() {
+        return nameIDPolicy;
+    }
+
+    /**
+     * Sets the value of the nameIDPolicy property.
+     *
+     * @param value allowed object is {@link NameIDPolicyType }
+     */
+    public void setNameIDPolicy(NameIDPolicyType value) {
+        this.nameIDPolicy = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingResponseType.java
new file mode 100755
index 0000000000..30ce02c05d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDMappingResponseType.java
@@ -0,0 +1,92 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.v2.assertion.EncryptedElementType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+/**
+ * <p>
+ * Java class for NameIDMappingResponseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="NameIDMappingResponseType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}StatusResponseType">
+ *       &lt;choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}NameID"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedID"/>
+ *       &lt;/choice>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class NameIDMappingResponseType extends StatusResponseType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected NameIDType nameID;
+
+    protected EncryptedElementType encryptedID;
+
+    public NameIDMappingResponseType(String id, XMLGregorianCalendar issueInstant) {
+        super(id, issueInstant);
+    }
+
+    /**
+     * Gets the value of the nameID property.
+     *
+     * @return possible object is {@link NameIDType }
+     */
+    public NameIDType getNameID() {
+        return nameID;
+    }
+
+    /**
+     * Sets the value of the nameID property.
+     *
+     * @param value allowed object is {@link NameIDType }
+     */
+    public void setNameID(NameIDType value) {
+        this.nameID = value;
+    }
+
+    /**
+     * Gets the value of the encryptedID property.
+     *
+     * @return possible object is {@link EncryptedElementType }
+     */
+    public EncryptedElementType getEncryptedID() {
+        return encryptedID;
+    }
+
+    /**
+     * Sets the value of the encryptedID property.
+     *
+     * @param value allowed object is {@link EncryptedElementType }
+     */
+    public void setEncryptedID(EncryptedElementType value) {
+        this.encryptedID = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDPolicyType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDPolicyType.java
new file mode 100755
index 0000000000..638310808b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/NameIDPolicyType.java
@@ -0,0 +1,100 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for NameIDPolicyType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="NameIDPolicyType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;attribute name="Format" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="SPNameQualifier" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="AllowCreate" type="{http://www.w3.org/2001/XMLSchema}boolean" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class NameIDPolicyType {
+
+    protected URI format;
+    protected String spNameQualifier;
+    protected Boolean allowCreate = Boolean.FALSE;
+
+    /**
+     * Gets the value of the format property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getFormat() {
+        return format;
+    }
+
+    /**
+     * Sets the value of the format property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setFormat(URI value) {
+        this.format = value;
+    }
+
+    /**
+     * Gets the value of the spNameQualifier property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getSPNameQualifier() {
+        return spNameQualifier;
+    }
+
+    /**
+     * Sets the value of the spNameQualifier property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setSPNameQualifier(String value) {
+        this.spNameQualifier = value;
+    }
+
+    /**
+     * Gets the value of the allowCreate property.
+     *
+     * @return possible object is {@link Boolean }
+     */
+    public Boolean isAllowCreate() {
+        return allowCreate;
+    }
+
+    /**
+     * Sets the value of the allowCreate property.
+     *
+     * @param value allowed object is {@link Boolean }
+     */
+    public void setAllowCreate(Boolean value) {
+        this.allowCreate = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestAbstractType.java
new file mode 100755
index 0000000000..5fa57ab9f4
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestAbstractType.java
@@ -0,0 +1,151 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.common.CommonRequestAbstractType;
+import org.keycloak.dom.saml.v2.SAML2Object;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for RequestAbstractType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RequestAbstractType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Issuer" minOccurs="0"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Signature" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}Extensions" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ID" use="required" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *       &lt;attribute name="Version" use="required" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="IssueInstant" use="required" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="Destination" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="Consent" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public abstract class RequestAbstractType extends CommonRequestAbstractType implements SAML2Object {
+
+    private static final long serialVersionUID = 1L;
+
+    protected NameIDType issuer;
+
+    protected ExtensionsType extensions;
+
+    protected String version = "2.0";
+
+    protected URI destination;
+
+    protected String consent;
+
+    public RequestAbstractType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    /**
+     * Gets the value of the issuer property.
+     *
+     * @return possible object is {@link NameIDType }
+     */
+    public NameIDType getIssuer() {
+        return issuer;
+    }
+
+    /**
+     * Sets the value of the issuer property.
+     *
+     * @param value allowed object is {@link NameIDType }
+     */
+    public void setIssuer(NameIDType value) {
+        this.issuer = value;
+    }
+
+    /**
+     * Gets the value of the extensions property.
+     *
+     * @return possible object is {@link ExtensionsType }
+     */
+    public ExtensionsType getExtensions() {
+        return extensions;
+    }
+
+    /**
+     * Sets the value of the extensions property.
+     *
+     * @param value allowed object is {@link ExtensionsType }
+     */
+    public void setExtensions(ExtensionsType value) {
+        this.extensions = value;
+    }
+
+    /**
+     * Gets the value of the version property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * Gets the value of the destination property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getDestination() {
+        return destination;
+    }
+
+    /**
+     * Sets the value of the destination property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setDestination(URI value) {
+        this.destination = value;
+    }
+
+    /**
+     * Gets the value of the consent property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getConsent() {
+        return consent;
+    }
+
+    /**
+     * Sets the value of the consent property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setConsent(String value) {
+        this.consent = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestedAuthnContextType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestedAuthnContextType.java
new file mode 100755
index 0000000000..0aea25ee28
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/RequestedAuthnContextType.java
@@ -0,0 +1,135 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for RequestedAuthnContextType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RequestedAuthnContextType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AuthnContextClassRef" maxOccurs="unbounded"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}AuthnContextDeclRef" maxOccurs="unbounded"/>
+ *       &lt;/choice>
+ *       &lt;attribute name="Comparison" type="{urn:oasis:names:tc:SAML:2.0:protocol}AuthnContextComparisonType" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class RequestedAuthnContextType {
+
+    protected List<String> authnContextClassRef = new ArrayList<String>();
+    protected List<String> authnContextDeclRef = new ArrayList<String>();
+    protected AuthnContextComparisonType comparison;
+
+    /**
+     * Add an authn Context class ref
+     *
+     * @param str
+     */
+    public void addAuthnContextClassRef(String str) {
+        this.authnContextClassRef.add(str);
+    }
+
+    /**
+     * Add authn context decl ref
+     *
+     * @param str
+     */
+    public void addAuthnContextDeclRef(String str) {
+        this.authnContextDeclRef.add(str);
+    }
+
+    /**
+     * Remove an authn Context class ref
+     *
+     * @param str
+     */
+    public void removeAuthnContextClassRef(String str) {
+        this.authnContextClassRef.remove(str);
+    }
+
+    /**
+     * remove authn context decl ref
+     *
+     * @param str
+     */
+    public void removeAuthnContextDeclRef(String str) {
+        this.authnContextDeclRef.remove(str);
+    }
+
+    /**
+     * Gets the value of the authnContextClassRef property.
+     */
+    public List<String> getAuthnContextClassRef() {
+        return Collections.unmodifiableList(this.authnContextClassRef);
+    }
+
+    /**
+     * Gets the value of the authnContextDeclRef property.
+     *
+     * <p>
+     * This accessor method returns a reference to the live list, not a snapshot. Therefore any modification you make to
+     * the
+     * returned list will be present inside the JAXB object. This is why there is not a <CODE>set</CODE> method for the
+     * authnContextDeclRef property.
+     *
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getAuthnContextDeclRef().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<String> getAuthnContextDeclRef() {
+        return Collections.unmodifiableList(this.authnContextDeclRef);
+    }
+
+    /**
+     * Gets the value of the comparison property.
+     *
+     * @return possible object is {@link AuthnContextComparisonType }
+     */
+    public AuthnContextComparisonType getComparison() {
+        return comparison;
+    }
+
+    /**
+     * Sets the value of the comparison property.
+     *
+     * @param value allowed object is {@link AuthnContextComparisonType }
+     */
+    public void setComparison(AuthnContextComparisonType value) {
+        this.comparison = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ResponseType.java
new file mode 100755
index 0000000000..e4664b46c6
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ResponseType.java
@@ -0,0 +1,137 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ResponseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ResponseType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}StatusResponseType">
+ *       &lt;choice maxOccurs="unbounded" minOccurs="0">
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Assertion"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}EncryptedAssertion"/>
+ *       &lt;/choice>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ResponseType extends StatusResponseType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected List<RTChoiceType> assertions = new ArrayList<ResponseType.RTChoiceType>();
+
+    public ResponseType(String id, XMLGregorianCalendar issueInstant) {
+        super(id, issueInstant);
+    }
+
+    public ResponseType(StatusResponseType srt) {
+        super(srt);
+    }
+
+    /**
+     * Add an assertion
+     *
+     * @param choice
+     */
+    public void addAssertion(RTChoiceType choice) {
+        assertions.add(choice);
+    }
+
+    /**
+     * Remove an assertion
+     *
+     * @param choice
+     */
+    public void removeAssertion(RTChoiceType choice) {
+        assertions.remove(choice);
+    }
+
+    /**
+     * Replace the first assertion with the passed assertion
+     *
+     * @param id id of the old assertion
+     * @param newAssertion
+     */
+    public void replaceAssertion(String id, RTChoiceType newAssertion) {
+        int index = 0;
+        if (id != null && !id.isEmpty()) {
+            for (RTChoiceType assertion : assertions) {
+                if (assertion.getID().equals(id)) {
+                    break;
+                }
+                index++;
+            }
+        }
+        assertions.remove(index);
+        assertions.add(index, newAssertion);
+    }
+
+    /**
+     * Gets a read only list of assertions
+     */
+    public List<RTChoiceType> getAssertions() {
+        return Collections.unmodifiableList(assertions);
+    }
+
+    public static class RTChoiceType {
+
+        private AssertionType assertion;
+
+        private EncryptedAssertionType encryptedAssertion;
+
+        private String id;
+
+        public RTChoiceType(AssertionType assertion) {
+            this.assertion = assertion;
+            this.id = assertion.getID();
+        }
+
+        public RTChoiceType(EncryptedAssertionType encryptedAssertion) {
+            this.encryptedAssertion = encryptedAssertion;
+
+        }
+
+        public AssertionType getAssertion() {
+            return assertion;
+        }
+
+        public EncryptedAssertionType getEncryptedAssertion() {
+            return encryptedAssertion;
+        }
+
+        public String getID() {
+            return id;
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ScopingType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ScopingType.java
new file mode 100755
index 0000000000..bcd8060231
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/ScopingType.java
@@ -0,0 +1,125 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import java.math.BigInteger;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ScopingType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ScopingType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}IDPList" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}RequesterID" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ProxyCount" type="{http://www.w3.org/2001/XMLSchema}nonNegativeInteger" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ScopingType {
+
+    protected IDPListType idpList;
+    protected List<URI> requesterID = new ArrayList<URI>();
+
+    protected BigInteger proxyCount;
+
+    /**
+     * Gets the value of the idpList property.
+     *
+     * @return possible object is {@link IDPListType }
+     */
+    public IDPListType getIDPList() {
+        return idpList;
+    }
+
+    /**
+     * Sets the value of the idpList property.
+     *
+     * @param value allowed object is {@link IDPListType }
+     */
+    public void setIDPList(IDPListType value) {
+        this.idpList = value;
+    }
+
+    /**
+     * Gets the value of the requesterID property.
+     * <p>
+     * For example, to add a new item, do as follows:
+     *
+     * <pre>
+     * getRequesterID().add(newItem);
+     * </pre>
+     *
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link String }
+     */
+    public List<URI> getRequesterID() {
+        return Collections.unmodifiableList(this.requesterID);
+    }
+
+    /**
+     * Add requester id
+     *
+     * @param uri
+     */
+    public void addRequesterID(URI uri) {
+        this.requesterID.add(uri);
+    }
+
+    /**
+     * Remove requester id
+     *
+     * @param uri
+     */
+    public void removeRequesterID(URI uri) {
+        this.requesterID.remove(uri);
+    }
+
+    /**
+     * Gets the value of the proxyCount property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getProxyCount() {
+        return proxyCount;
+    }
+
+    /**
+     * Sets the value of the proxyCount property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setProxyCount(BigInteger value) {
+        this.proxyCount = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusCodeType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusCodeType.java
new file mode 100755
index 0000000000..2ce85eb6b9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusCodeType.java
@@ -0,0 +1,82 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for StatusCodeType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="StatusCodeType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Value" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class StatusCodeType {
+
+    protected StatusCodeType statusCode;
+    protected URI value;
+
+    /**
+     * Gets the value of the statusCode property.
+     *
+     * @return possible object is {@link StatusCodeType }
+     */
+    public StatusCodeType getStatusCode() {
+        return statusCode;
+    }
+
+    /**
+     * Sets the value of the statusCode property.
+     *
+     * @param value allowed object is {@link StatusCodeType }
+     */
+    public void setStatusCode(StatusCodeType value) {
+        this.statusCode = value;
+    }
+
+    /**
+     * Gets the value of the value property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getValue() {
+        return value;
+    }
+
+    /**
+     * Sets the value of the value property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setValue(URI value) {
+        this.value = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusDetailType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusDetailType.java
new file mode 100755
index 0000000000..22f21714f2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusDetailType.java
@@ -0,0 +1,44 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.common.CommonStatusDetailType;
+
+/**
+ * <p>
+ * Java class for StatusDetailType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="StatusDetailType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class StatusDetailType extends CommonStatusDetailType {
+
+    private static final long serialVersionUID = 1L;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusResponseType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusResponseType.java
new file mode 100755
index 0000000000..5cbd1d13fc
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusResponseType.java
@@ -0,0 +1,187 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.common.CommonResponseType;
+import org.keycloak.dom.saml.v2.SAML2Object;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+/**
+ * <p>
+ * Java class for StatusResponseType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="StatusResponseType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Issuer" minOccurs="0"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Signature" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}Extensions" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}Status"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="ID" use="required" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *       &lt;attribute name="InResponseTo" type="{http://www.w3.org/2001/XMLSchema}NCName" />
+ *       &lt;attribute name="Version" use="required" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="IssueInstant" use="required" type="{http://www.w3.org/2001/XMLSchema}dateTime" />
+ *       &lt;attribute name="Destination" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="Consent" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class StatusResponseType extends CommonResponseType implements SAML2Object {
+
+    private static final long serialVersionUID = 1L;
+
+    protected NameIDType issuer;
+
+    protected ExtensionsType extensions;
+
+    protected StatusType status;
+
+    protected String id;
+
+    protected String version = "2.0";
+
+    protected XMLGregorianCalendar issueInstant;
+
+    protected String destination;
+
+    protected String consent;
+
+    public StatusResponseType(String id, XMLGregorianCalendar issueInstant) {
+        super(id, issueInstant);
+    }
+
+    public StatusResponseType(StatusResponseType srt) {
+        this(srt.getID(), srt.getIssueInstant());
+        this.issuer = srt.getIssuer();
+        this.signature = srt.getSignature();
+        this.extensions = srt.getExtensions();
+        this.status = srt.getStatus();
+        this.inResponseTo = srt.getInResponseTo();
+        this.destination = srt.getDestination();
+        this.consent = srt.getConsent();
+    }
+
+    /**
+     * Gets the value of the issuer property.
+     *
+     * @return possible object is {@link NameIDType }
+     */
+    public NameIDType getIssuer() {
+        return issuer;
+    }
+
+    /**
+     * Sets the value of the issuer property.
+     *
+     * @param value allowed object is {@link NameIDType }
+     */
+    public void setIssuer(NameIDType value) {
+        this.issuer = value;
+    }
+
+    /**
+     * Gets the value of the extensions property.
+     *
+     * @return possible object is {@link ExtensionsType }
+     */
+    public ExtensionsType getExtensions() {
+        return extensions;
+    }
+
+    /**
+     * Sets the value of the extensions property.
+     *
+     * @param value allowed object is {@link ExtensionsType }
+     */
+    public void setExtensions(ExtensionsType value) {
+        this.extensions = value;
+    }
+
+    /**
+     * Gets the value of the status property.
+     *
+     * @return possible object is {@link StatusType }
+     */
+    public StatusType getStatus() {
+        return status;
+    }
+
+    /**
+     * Sets the value of the status property.
+     *
+     * @param value allowed object is {@link StatusType }
+     */
+    public void setStatus(StatusType value) {
+        this.status = value;
+    }
+
+    /**
+     * Gets the value of the version property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * Gets the value of the destination property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getDestination() {
+        return destination;
+    }
+
+    /**
+     * Sets the value of the destination property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setDestination(String value) {
+        this.destination = value;
+    }
+
+    /**
+     * Gets the value of the consent property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getConsent() {
+        return consent;
+    }
+
+    /**
+     * Sets the value of the consent property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setConsent(String value) {
+        this.consent = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusType.java
new file mode 100755
index 0000000000..9918879e43
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/StatusType.java
@@ -0,0 +1,101 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+/**
+ * <p>
+ * Java class for StatusType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="StatusType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}StatusCode"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}StatusMessage" minOccurs="0"/>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:protocol}StatusDetail" minOccurs="0"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class StatusType {
+
+    protected String statusMessage;
+    protected StatusCodeType statusCode;
+    protected StatusDetailType statusDetail;
+
+    /**
+     * Gets the value of the statusCode property.
+     *
+     * @return possible object is {@link StatusCodeType }
+     */
+    public StatusCodeType getStatusCode() {
+        return statusCode;
+    }
+
+    /**
+     * Sets the value of the statusCode property.
+     *
+     * @param value allowed object is {@link StatusCodeType }
+     */
+    public void setStatusCode(StatusCodeType value) {
+        this.statusCode = value;
+    }
+
+    /**
+     * Gets the value of the statusMessage property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getStatusMessage() {
+        return statusMessage;
+    }
+
+    /**
+     * Sets the value of the statusMessage property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setStatusMessage(String value) {
+        this.statusMessage = value;
+    }
+
+    /**
+     * Gets the value of the statusDetail property.
+     *
+     * @return possible object is {@link StatusDetailType }
+     */
+    public StatusDetailType getStatusDetail() {
+        return statusDetail;
+    }
+
+    /**
+     * Sets the value of the statusDetail property.
+     *
+     * @param value allowed object is {@link StatusDetailType }
+     */
+    public void setStatusDetail(StatusDetailType value) {
+        this.statusDetail = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/SubjectQueryAbstractType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/SubjectQueryAbstractType.java
new file mode 100755
index 0000000000..31b29588c2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/SubjectQueryAbstractType.java
@@ -0,0 +1,65 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+
+/**
+ * <p>
+ * Java class for SubjectQueryAbstractType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SubjectQueryAbstractType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{urn:oasis:names:tc:SAML:2.0:protocol}RequestAbstractType">
+ *       &lt;sequence>
+ *         &lt;element ref="{urn:oasis:names:tc:SAML:2.0:assertion}Subject"/>
+ *       &lt;/sequence>
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public abstract class SubjectQueryAbstractType extends RequestAbstractType {
+
+    private static final long serialVersionUID = 1L;
+
+    protected SubjectType subject;
+
+    public SubjectQueryAbstractType(String id, XMLGregorianCalendar instant) {
+        super(id, instant);
+    }
+
+    public void setSubject(SubjectType subject) {
+        this.subject = subject;
+    }
+
+    /**
+     * Gets the value of the subject property.
+     *
+     * @return possible object is {@link SubjectType }
+     */
+    public SubjectType getSubject() {
+        return subject;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/TerminateType.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/TerminateType.java
new file mode 100755
index 0000000000..8a3890e9d9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/TerminateType.java
@@ -0,0 +1,38 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
+/**
+ * <p>
+ * Java class for TerminateType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TerminateType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class TerminateType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/package-info.java b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/package-info.java
new file mode 100755
index 0000000000..d52fa899aa
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/saml/v2/protocol/package-info.java
@@ -0,0 +1,23 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Package containing the classes for the protocol of SAMLv2
+ */
+package org.keycloak.dom.saml.v2.protocol;
+
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/CanonicalizationMethodType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/CanonicalizationMethodType.java
new file mode 100755
index 0000000000..6529ae0734
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/CanonicalizationMethodType.java
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for CanonicalizationMethodType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="CanonicalizationMethodType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Algorithm" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class CanonicalizationMethodType {
+
+    protected URI algorithm;
+    private Object content;
+
+    public CanonicalizationMethodType(URI algorithm) {
+        this.algorithm = algorithm;
+    }
+
+    public void setContent(Object content) {
+        this.content = content;
+    }
+
+    public Object getContent() {
+        return this.content;
+    }
+
+    /**
+     * Gets the value of the algorithm property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getAlgorithm() {
+        return algorithm;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DSAKeyValueType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DSAKeyValueType.java
new file mode 100755
index 0000000000..9a252ddf65
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DSAKeyValueType.java
@@ -0,0 +1,304 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.Base64;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.interfaces.DSAPrivateKey;
+import java.security.interfaces.DSAPublicKey;
+import java.security.spec.DSAPrivateKeySpec;
+import java.security.spec.DSAPublicKeySpec;
+
+/**
+ * <p>
+ * Java class for DSAKeyValueType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="DSAKeyValueType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;sequence minOccurs="0">
+ *           &lt;element name="P" type="{http://www.w3.org/2000/09/xmldsig#}CryptoBinary"/>
+ *           &lt;element name="Q" type="{http://www.w3.org/2000/09/xmldsig#}CryptoBinary"/>
+ *         &lt;/sequence>
+ *         &lt;element name="G" type="{http://www.w3.org/2000/09/xmldsig#}CryptoBinary" minOccurs="0"/>
+ *         &lt;element name="Y" type="{http://www.w3.org/2000/09/xmldsig#}CryptoBinary"/>
+ *         &lt;element name="J" type="{http://www.w3.org/2000/09/xmldsig#}CryptoBinary" minOccurs="0"/>
+ *         &lt;sequence minOccurs="0">
+ *           &lt;element name="Seed" type="{http://www.w3.org/2000/09/xmldsig#}CryptoBinary"/>
+ *           &lt;element name="PgenCounter" type="{http://www.w3.org/2000/09/xmldsig#}CryptoBinary"/>
+ *         &lt;/sequence>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class DSAKeyValueType implements KeyValueType {
+
+    protected byte[] p;
+    protected byte[] q;
+    protected byte[] g;
+    protected byte[] y;
+    protected byte[] j;
+    protected byte[] seed;
+    protected byte[] pgenCounter;
+
+    /**
+     * Gets the value of the p property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getP() {
+        return p;
+    }
+
+    /**
+     * Sets the value of the p property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setP(byte[] value) {
+        this.p = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the q property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getQ() {
+        return q;
+    }
+
+    /**
+     * Sets the value of the q property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setQ(byte[] value) {
+        this.q = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the g property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getG() {
+        return g;
+    }
+
+    /**
+     * Sets the value of the g property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setG(byte[] value) {
+        this.g = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the y property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getY() {
+        return y;
+    }
+
+    /**
+     * Sets the value of the y property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setY(byte[] value) {
+        this.y = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the j property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getJ() {
+        return j;
+    }
+
+    /**
+     * Sets the value of the j property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setJ(byte[] value) {
+        this.j = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the seed property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getSeed() {
+        return seed;
+    }
+
+    /**
+     * Sets the value of the seed property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setSeed(byte[] value) {
+        this.seed = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the pgenCounter property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getPgenCounter() {
+        return pgenCounter;
+    }
+
+    /**
+     * Sets the value of the pgenCounter property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setPgenCounter(byte[] value) {
+        this.pgenCounter = ((byte[]) value);
+    }
+
+    /**
+     * Convert to the JDK representation of a DSA Public Key
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public DSAPublicKey convertToPublicKey() throws ProcessingException {
+        BigInteger BigY, BigP, BigQ, BigG;
+
+        BigY = new BigInteger(1, massage(Base64.decode(new String(y))));
+        BigP = new BigInteger(1, massage(Base64.decode(new String(p))));
+        BigQ = new BigInteger(1, massage(Base64.decode(new String(q))));
+        BigG = new BigInteger(1, massage(Base64.decode(new String(g))));
+
+        try {
+            KeyFactory dsaKeyFactory = KeyFactory.getInstance("dsa");
+            DSAPublicKeySpec kspec = new DSAPublicKeySpec(BigY, BigP, BigQ, BigG);
+            return (DSAPublicKey) dsaKeyFactory.generatePublic(kspec);
+        } catch (Exception e) {
+            throw new ProcessingException(e);
+        }
+    }
+
+    /**
+     * Convert to the JDK representation of a DSA Private Key
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public DSAPrivateKey convertToPrivateKey() throws ProcessingException {
+        BigInteger BigY, BigP, BigQ, BigG;
+
+        BigY = new BigInteger(1, massage(Base64.decode(new String(y))));
+        BigP = new BigInteger(1, massage(Base64.decode(new String(p))));
+        BigQ = new BigInteger(1, massage(Base64.decode(new String(q))));
+        BigG = new BigInteger(1, massage(Base64.decode(new String(g))));
+
+        try {
+            KeyFactory dsaKeyFactory = KeyFactory.getInstance("dsa");
+            DSAPrivateKeySpec kspec = new DSAPrivateKeySpec(BigY, BigP, BigQ, BigG);
+            return (DSAPrivateKey) dsaKeyFactory.generatePrivate(kspec);
+        } catch (Exception e) {
+            throw new ProcessingException(e);
+        }
+    }
+
+    public String toString() {
+        String prefix = WSTrustConstants.XMLDSig.DSIG_PREFIX;
+        String colon = ":";
+        String left = "<";
+        String right = ">";
+        String slash = "/";
+
+        StringBuilder sb = new StringBuilder();
+
+        sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.DSA_KEYVALUE).append(right);
+
+        if (p != null) {
+            sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.P).append(right);
+            sb.append(new String(getP()));
+            sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.P).append(right);
+        }
+
+        if (q != null) {
+            sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.Q).append(right);
+            sb.append(new String(getQ()));
+            sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.Q).append(right);
+        }
+
+        if (g != null) {
+            sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.G).append(right);
+            sb.append(new String(getG()));
+            sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.G).append(right);
+        }
+
+        if (y != null) {
+            sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.Y).append(right);
+            sb.append(new String(getY()));
+            sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.Y).append(right);
+        }
+
+        if (seed != null) {
+            sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.SEED).append(right);
+            sb.append(new String(getSeed()));
+            sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.SEED).append(right);
+        }
+
+        if (pgenCounter != null) {
+            sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.PGEN_COUNTER).append(right);
+            sb.append(new String(getPgenCounter()));
+            sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.PGEN_COUNTER).append(right);
+        }
+
+        sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.DSA_KEYVALUE).append(right);
+        return sb.toString();
+    }
+
+    private byte[] massage(byte[] byteArray) {
+        if (byteArray[0] == 0) {
+            byte[] substring = new byte[byteArray.length - 1];
+            System.arraycopy(byteArray, 1, substring, 0, byteArray.length - 1);
+            return substring;
+        }
+        return byteArray;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DigestMethodType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DigestMethodType.java
new file mode 100755
index 0000000000..1e8cb4232d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/DigestMethodType.java
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for DigestMethodType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="DigestMethodType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Algorithm" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class DigestMethodType {
+
+    protected URI algorithm;
+    private Object content;
+
+    public DigestMethodType(URI algorithm) {
+        this.algorithm = algorithm;
+    }
+
+    public void setContent(Object content) {
+        this.content = content;
+    }
+
+    public Object getContent() {
+        return this.content;
+    }
+
+    /**
+     * Gets the value of the algorithm property.
+     *
+     * @return possible object is {@link URI }
+     */
+    public URI getAlgorithm() {
+        return algorithm;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/KeyInfoType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/KeyInfoType.java
new file mode 100755
index 0000000000..d764fefba9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/KeyInfoType.java
@@ -0,0 +1,86 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for KeyInfoType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeyInfoType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice maxOccurs="unbounded">
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}KeyName"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}KeyValue"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}RetrievalMethod"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}X509Data"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}PGPData"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}SPKIData"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}MgmtData"/>
+ *         &lt;any/>
+ *       &lt;/choice>
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class KeyInfoType {
+
+    protected String id;
+
+    protected List<Object> contentList = new ArrayList<Object>();
+
+    public void addContent(Object content) {
+        this.contentList.add(content);
+    }
+
+    public void removeContent(Object content) {
+        this.contentList.remove(content);
+    }
+
+    public List<Object> getContent() {
+        return Collections.unmodifiableList(contentList);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/KeyValueType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/KeyValueType.java
new file mode 100755
index 0000000000..fdef5a50bc
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/KeyValueType.java
@@ -0,0 +1,44 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+
+/**
+ * <p>
+ * Java class for KeyValueType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="KeyValueType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}DSAKeyValue"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}RSAKeyValue"/>
+ *         &lt;any/>
+ *       &lt;/choice>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public interface KeyValueType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ManifestType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ManifestType.java
new file mode 100755
index 0000000000..f7040b99f6
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ManifestType.java
@@ -0,0 +1,84 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ManifestType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ManifestType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Reference" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ManifestType {
+
+    protected List<ReferenceType> reference = new ArrayList<ReferenceType>();
+    protected String id;
+
+    public void addReference(ReferenceType ref) {
+        this.reference.add(ref);
+    }
+
+    public void removeReference(ReferenceType ref) {
+        this.reference.remove(ref);
+    }
+
+    /**
+     * Gets the value of the reference property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ReferenceType }
+     */
+    public List<ReferenceType> getReference() {
+        return Collections.unmodifiableList(this.reference);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ObjectType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ObjectType.java
new file mode 100755
index 0000000000..e60ffd0bcd
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ObjectType.java
@@ -0,0 +1,123 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for ObjectType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ObjectType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence maxOccurs="unbounded" minOccurs="0">
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *       &lt;attribute name="MimeType" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="Encoding" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ObjectType {
+
+    protected List<Object> content = new ArrayList<Object>();
+    protected String id;
+    protected String mimeType;
+    protected String encoding;
+
+    public void add(Object obj) {
+        this.content.add(obj);
+    }
+
+    public void remove(Object obj) {
+        this.content.remove(obj);
+    }
+
+    /**
+     * Gets the value of the content property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link org.w3c.dom.Element } {@link Object } {@link String }
+     */
+    public List<Object> getContent() {
+        return Collections.unmodifiableList(this.content);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+
+    /**
+     * Gets the value of the mimeType property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getMimeType() {
+        return mimeType;
+    }
+
+    /**
+     * Sets the value of the mimeType property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMimeType(String value) {
+        this.mimeType = value;
+    }
+
+    /**
+     * Gets the value of the encoding property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getEncoding() {
+        return encoding;
+    }
+
+    /**
+     * Sets the value of the encoding property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setEncoding(String value) {
+        this.encoding = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/PGPDataType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/PGPDataType.java
new file mode 100755
index 0000000000..89084aaaa9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/PGPDataType.java
@@ -0,0 +1,71 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for PGPDataType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="PGPDataType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice>
+ *         &lt;sequence>
+ *           &lt;element name="PGPKeyID" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
+ *           &lt;element name="PGPKeyPacket" type="{http://www.w3.org/2001/XMLSchema}base64Binary" minOccurs="0"/>
+ *           &lt;any/>
+ *         &lt;/sequence>
+ *         &lt;sequence>
+ *           &lt;element name="PGPKeyPacket" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
+ *           &lt;any/>
+ *         &lt;/sequence>
+ *       &lt;/choice>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class PGPDataType {
+
+    protected List<Object> content = new ArrayList<Object>();
+
+    public void add(Object obj) {
+        this.content.add(obj);
+    }
+
+    public void remove(Object obj) {
+        this.content.remove(obj);
+    }
+
+    /**
+     * Gets the value of the content property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link org.w3c.dom.Element } {@link Object } {@link String }
+     */
+    public List<Object> getContent() {
+        return Collections.unmodifiableList(this.content);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RSAKeyValueType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RSAKeyValueType.java
new file mode 100755
index 0000000000..0ded3fd69d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RSAKeyValueType.java
@@ -0,0 +1,164 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.Base64;
+
+import java.math.BigInteger;
+import java.security.KeyFactory;
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+import java.security.spec.RSAPrivateKeySpec;
+import java.security.spec.RSAPublicKeySpec;
+
+/**
+ * <p>
+ * Java class for RSAKeyValueType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RSAKeyValueType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element name="Modulus" type="{http://www.w3.org/2000/09/xmldsig#}CryptoBinary"/>
+ *         &lt;element name="Exponent" type="{http://www.w3.org/2000/09/xmldsig#}CryptoBinary"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class RSAKeyValueType implements KeyValueType {
+
+    protected byte[] modulus;
+    protected byte[] exponent;
+
+    /**
+     * Gets the value of the modulus property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getModulus() {
+        return modulus;
+    }
+
+    /**
+     * Sets the value of the modulus property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setModulus(byte[] value) {
+        this.modulus = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the exponent property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getExponent() {
+        return exponent;
+    }
+
+    /**
+     * Sets the value of the exponent property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setExponent(byte[] value) {
+        this.exponent = ((byte[]) value);
+    }
+
+    /**
+     * Convert to the JDK representation of a RSA Public Key
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public RSAPublicKey convertToPublicKey() throws ProcessingException {
+        BigInteger bigModulus = new BigInteger(1, massage(Base64.decode(new String(modulus))));
+        BigInteger bigEx = new BigInteger(1, massage(Base64.decode(new String(exponent))));
+
+        try {
+            KeyFactory rsaKeyFactory = KeyFactory.getInstance("rsa");
+            RSAPublicKeySpec kspec = new RSAPublicKeySpec(bigModulus, bigEx);
+            return (RSAPublicKey) rsaKeyFactory.generatePublic(kspec);
+        } catch (Exception e) {
+            throw new ProcessingException(e);
+        }
+    }
+
+    /**
+     * Convert to the JDK representation of a RSA Private Key
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public RSAPrivateKey convertToPrivateKey() throws ProcessingException {
+        BigInteger bigModulus = new BigInteger(1, massage(Base64.decode(new String(modulus))));
+        BigInteger bigEx = new BigInteger(1, massage(Base64.decode(new String(exponent))));
+
+        try {
+            KeyFactory rsaKeyFactory = KeyFactory.getInstance("rsa");
+            RSAPrivateKeySpec kspec = new RSAPrivateKeySpec(bigModulus, bigEx);
+            return (RSAPrivateKey) rsaKeyFactory.generatePrivate(kspec);
+        } catch (Exception e) {
+            throw new ProcessingException(e);
+        }
+    }
+
+    public String toString() {
+        String prefix = WSTrustConstants.XMLDSig.DSIG_PREFIX;
+        String colon = ":";
+        String left = "<";
+        String right = ">";
+        String slash = "/";
+
+        StringBuilder sb = new StringBuilder();
+
+        sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.RSA_KEYVALUE).append(right);
+
+        sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.MODULUS).append(right);
+        sb.append(new String(getModulus()));
+        sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.MODULUS).append(right);
+
+        sb.append(left).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.EXPONENT).append(right);
+        sb.append(new String(getExponent()));
+        sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.EXPONENT).append(right);
+
+        sb.append(left).append(slash).append(prefix).append(colon).append(WSTrustConstants.XMLDSig.RSA_KEYVALUE).append(right);
+        return sb.toString();
+    }
+
+    private byte[] massage(byte[] byteArray) {
+        if (byteArray[0] == 0) {
+            byte[] substring = new byte[byteArray.length - 1];
+            System.arraycopy(byteArray, 1, substring, 0, byteArray.length - 1);
+            return substring;
+        }
+        return byteArray;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ReferenceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ReferenceType.java
new file mode 100755
index 0000000000..ea95b05761
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/ReferenceType.java
@@ -0,0 +1,160 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+/**
+ * <p>
+ * Java class for ReferenceType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ReferenceType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Transforms" minOccurs="0"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}DigestMethod"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}DigestValue"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *       &lt;attribute name="URI" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="Type" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ReferenceType {
+
+    protected TransformsType transforms;
+    protected DigestMethodType digestMethod;
+    protected byte[] digestValue;
+    protected String id;
+    protected String uri;
+    protected String type;
+
+    /**
+     * Gets the value of the transforms property.
+     *
+     * @return possible object is {@link TransformsType }
+     */
+    public TransformsType getTransforms() {
+        return transforms;
+    }
+
+    /**
+     * Sets the value of the transforms property.
+     *
+     * @param value allowed object is {@link TransformsType }
+     */
+    public void setTransforms(TransformsType value) {
+        this.transforms = value;
+    }
+
+    /**
+     * Gets the value of the digestMethod property.
+     *
+     * @return possible object is {@link DigestMethodType }
+     */
+    public DigestMethodType getDigestMethod() {
+        return digestMethod;
+    }
+
+    /**
+     * Sets the value of the digestMethod property.
+     *
+     * @param value allowed object is {@link DigestMethodType }
+     */
+    public void setDigestMethod(DigestMethodType value) {
+        this.digestMethod = value;
+    }
+
+    /**
+     * Gets the value of the digestValue property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getDigestValue() {
+        return digestValue;
+    }
+
+    /**
+     * Sets the value of the digestValue property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setDigestValue(byte[] value) {
+        this.digestValue = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+
+    /**
+     * Gets the value of the uri property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getURI() {
+        return uri;
+    }
+
+    /**
+     * Sets the value of the uri property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setURI(String value) {
+        this.uri = value;
+    }
+
+    /**
+     * Gets the value of the type property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * Sets the value of the type property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setType(String value) {
+        this.type = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RetrievalMethodType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RetrievalMethodType.java
new file mode 100755
index 0000000000..32c6974fec
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/RetrievalMethodType.java
@@ -0,0 +1,101 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+/**
+ * <p>
+ * Java class for RetrievalMethodType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="RetrievalMethodType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Transforms" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="URI" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="Type" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class RetrievalMethodType {
+
+    protected TransformsType transforms;
+    protected String uri;
+    protected String type;
+
+    /**
+     * Gets the value of the transforms property.
+     *
+     * @return possible object is {@link TransformsType }
+     */
+    public TransformsType getTransforms() {
+        return transforms;
+    }
+
+    /**
+     * Sets the value of the transforms property.
+     *
+     * @param value allowed object is {@link TransformsType }
+     */
+    public void setTransforms(TransformsType value) {
+        this.transforms = value;
+    }
+
+    /**
+     * Gets the value of the uri property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getURI() {
+        return uri;
+    }
+
+    /**
+     * Sets the value of the uri property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setURI(String value) {
+        this.uri = value;
+    }
+
+    /**
+     * Gets the value of the type property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * Sets the value of the type property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setType(String value) {
+        this.type = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SPKIDataType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SPKIDataType.java
new file mode 100755
index 0000000000..90adf2dec7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SPKIDataType.java
@@ -0,0 +1,65 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SPKIDataType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SPKIDataType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence maxOccurs="unbounded">
+ *         &lt;element name="SPKISexp" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SPKIDataType {
+
+    protected List<Object> spkiSexpAndAny = new ArrayList<Object>();
+
+    public void addSPKI(Object obj) {
+        this.spkiSexpAndAny.add(obj);
+    }
+
+    public void removeSPKI(Object obj) {
+        this.spkiSexpAndAny.remove(obj);
+    }
+
+    /**
+     * Gets the value of the spkiSexpAndAny property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link org.w3c.dom.Element } {@link Object }
+     */
+    public List<Object> getSPKISexpAndAny() {
+        return Collections.unmodifiableList(this.spkiSexpAndAny);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureMethodType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureMethodType.java
new file mode 100755
index 0000000000..9f2c4af678
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureMethodType.java
@@ -0,0 +1,86 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SignatureMethodType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SignatureMethodType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element name="HMACOutputLength" type="{http://www.w3.org/2000/09/xmldsig#}HMACOutputLengthType"
+ * minOccurs="0"/>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Algorithm" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SignatureMethodType {
+
+    protected List<Object> content = new ArrayList<Object>();
+    protected String algorithm;
+
+    public void add(Object obj) {
+        this.content.add(obj);
+    }
+
+    public void remove(Object obj) {
+        this.content.remove(obj);
+    }
+
+    /**
+     * Gets the value of the content property.
+     *
+     * {@link Object } {@link String }
+     */
+    public List<Object> getContent() {
+        return Collections.unmodifiableList(this.content);
+    }
+
+    /**
+     * Gets the value of the algorithm property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getAlgorithm() {
+        return algorithm;
+    }
+
+    /**
+     * Sets the value of the algorithm property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setAlgorithm(String value) {
+        this.algorithm = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignaturePropertiesType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignaturePropertiesType.java
new file mode 100755
index 0000000000..9f38ffc104
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignaturePropertiesType.java
@@ -0,0 +1,85 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SignaturePropertiesType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SignaturePropertiesType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}SignatureProperty" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SignaturePropertiesType {
+
+    protected List<SignaturePropertyType> signatureProperty = new ArrayList<SignaturePropertyType>();
+    protected String id;
+
+    public void addSignatureProperty(SignaturePropertyType sig) {
+        this.signatureProperty.add(sig);
+    }
+
+    public void removeSignatureProperty(SignaturePropertyType sig) {
+        this.signatureProperty.remove(sig);
+    }
+
+    /**
+     * Gets the value of the signatureProperty property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link SignaturePropertyType }
+     */
+    public List<SignaturePropertyType> getSignatureProperty() {
+        return Collections.unmodifiableList(this.signatureProperty);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignaturePropertyType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignaturePropertyType.java
new file mode 100755
index 0000000000..25fd5ef754
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignaturePropertyType.java
@@ -0,0 +1,95 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SignaturePropertyType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SignaturePropertyType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice maxOccurs="unbounded">
+ *         &lt;any/>
+ *       &lt;/choice>
+ *       &lt;attribute name="Target" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SignaturePropertyType {
+
+    protected List<Object> content = new ArrayList<Object>();
+    protected String target;
+    protected String id;
+
+    /**
+     * Gets the value of the content property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link org.w3c.dom.Element } {@link Object } {@link String }
+     */
+    public List<Object> getContent() {
+        return this.content;
+    }
+
+    /**
+     * Gets the value of the target property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getTarget() {
+        return target;
+    }
+
+    /**
+     * Sets the value of the target property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setTarget(String value) {
+        this.target = value;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureType.java
new file mode 100755
index 0000000000..f8f38c116b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureType.java
@@ -0,0 +1,144 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SignatureType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SignatureType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}SignedInfo"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}SignatureValue"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}KeyInfo" minOccurs="0"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Object" maxOccurs="unbounded" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SignatureType {
+
+    protected SignedInfoType signedInfo;
+    protected SignatureValueType signatureValue;
+    protected KeyInfoType keyInfo;
+    protected List<ObjectType> object = new ArrayList<ObjectType>();
+    protected String id;
+
+    /**
+     * Gets the value of the signedInfo property.
+     *
+     * @return possible object is {@link SignedInfoType }
+     */
+    public SignedInfoType getSignedInfo() {
+        return signedInfo;
+    }
+
+    /**
+     * Sets the value of the signedInfo property.
+     *
+     * @param value allowed object is {@link SignedInfoType }
+     */
+    public void setSignedInfo(SignedInfoType value) {
+        this.signedInfo = value;
+    }
+
+    /**
+     * Gets the value of the signatureValue property.
+     *
+     * @return possible object is {@link SignatureValueType }
+     */
+    public SignatureValueType getSignatureValue() {
+        return signatureValue;
+    }
+
+    /**
+     * Sets the value of the signatureValue property.
+     *
+     * @param value allowed object is {@link SignatureValueType }
+     */
+    public void setSignatureValue(SignatureValueType value) {
+        this.signatureValue = value;
+    }
+
+    /**
+     * Gets the value of the keyInfo property.
+     *
+     * @return possible object is {@link KeyInfoType }
+     */
+    public KeyInfoType getKeyInfo() {
+        return keyInfo;
+    }
+
+    /**
+     * Sets the value of the keyInfo property.
+     *
+     * @param value allowed object is {@link KeyInfoType }
+     */
+    public void setKeyInfo(KeyInfoType value) {
+        this.keyInfo = value;
+    }
+
+    public void addObject(ObjectType obj) {
+        this.object.add(obj);
+    }
+
+    public void removeObject(ObjectType obj) {
+        this.object.remove(obj);
+    }
+
+    /**
+     * Gets the value of the object property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ObjectType }
+     */
+    public List<ObjectType> getObject() {
+        return Collections.unmodifiableList(this.object);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureValueType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureValueType.java
new file mode 100755
index 0000000000..7faf77b7be
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignatureValueType.java
@@ -0,0 +1,77 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+/**
+ * <p>
+ * Java class for SignatureValueType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SignatureValueType">
+ *   &lt;simpleContent>
+ *     &lt;extension base="&lt;http://www.w3.org/2001/XMLSchema>base64Binary">
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/extension>
+ *   &lt;/simpleContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SignatureValueType {
+
+    protected byte[] value;
+    protected String id;
+
+    /**
+     * Gets the value of the value property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getValue() {
+        return value;
+    }
+
+    /**
+     * Sets the value of the value property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setValue(byte[] value) {
+        this.value = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignedInfoType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignedInfoType.java
new file mode 100755
index 0000000000..1d207f583d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/SignedInfoType.java
@@ -0,0 +1,125 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for SignedInfoType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="SignedInfoType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}CanonicalizationMethod"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}SignatureMethod"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Reference" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class SignedInfoType {
+
+    protected CanonicalizationMethodType canonicalizationMethod;
+    protected SignatureMethodType signatureMethod;
+    protected List<ReferenceType> reference = new ArrayList<ReferenceType>();
+    protected String id;
+
+    /**
+     * Gets the value of the canonicalizationMethod property.
+     *
+     * @return possible object is {@link CanonicalizationMethodType }
+     */
+    public CanonicalizationMethodType getCanonicalizationMethod() {
+        return canonicalizationMethod;
+    }
+
+    /**
+     * Sets the value of the canonicalizationMethod property.
+     *
+     * @param value allowed object is {@link CanonicalizationMethodType }
+     */
+    public void setCanonicalizationMethod(CanonicalizationMethodType value) {
+        this.canonicalizationMethod = value;
+    }
+
+    /**
+     * Gets the value of the signatureMethod property.
+     *
+     * @return possible object is {@link SignatureMethodType }
+     */
+    public SignatureMethodType getSignatureMethod() {
+        return signatureMethod;
+    }
+
+    /**
+     * Sets the value of the signatureMethod property.
+     *
+     * @param value allowed object is {@link SignatureMethodType }
+     */
+    public void setSignatureMethod(SignatureMethodType value) {
+        this.signatureMethod = value;
+    }
+
+    public void add(ReferenceType ref) {
+        this.reference.add(ref);
+    }
+
+    public void remove(ReferenceType ref) {
+        this.reference.remove(ref);
+    }
+
+    /**
+     * Gets the value of the reference property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link ReferenceType }
+     */
+    public List<ReferenceType> getReference() {
+        return Collections.unmodifiableList(this.reference);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/TransformType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/TransformType.java
new file mode 100755
index 0000000000..d8601eb2dd
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/TransformType.java
@@ -0,0 +1,82 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for TransformType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TransformType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice maxOccurs="unbounded" minOccurs="0">
+ *         &lt;any/>
+ *         &lt;element name="XPath" type="{http://www.w3.org/2001/XMLSchema}string"/>
+ *       &lt;/choice>
+ *       &lt;attribute name="Algorithm" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class TransformType {
+
+    protected List<Object> content = new ArrayList<Object>();
+    protected URI algorithm;
+
+    public TransformType(URI algorithm) {
+        this.algorithm = algorithm;
+    }
+
+    public void addTransform(Object obj) {
+        this.content.add(obj);
+    }
+
+    public void removeTransform(Object obj) {
+        this.content.remove(obj);
+    }
+
+    /**
+     * Gets the value of the content property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link org.w3c.dom.Element } {@link String } {@link Object }
+     */
+    public List<Object> getContent() {
+        return Collections.unmodifiableList(this.content);
+    }
+
+    /**
+     * Gets the value of the algorithm property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getAlgorithm() {
+        return algorithm;
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/TransformsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/TransformsType.java
new file mode 100755
index 0000000000..1bda4d1e46
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/TransformsType.java
@@ -0,0 +1,65 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for TransformsType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TransformsType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Transform" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class TransformsType {
+
+    protected List<TransformType> transform = new ArrayList<TransformType>();
+
+    public void addTransformsType(TransformType tt) {
+        this.transform.add(tt);
+    }
+
+    public void removeTransformsType(TransformType tt) {
+        this.transform.remove(tt);
+    }
+
+    /**
+     * Gets the value of the transform property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link TransformType }
+     */
+    public List<TransformType> getTransform() {
+        return Collections.unmodifiableList(this.transform);
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509CertificateType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509CertificateType.java
new file mode 100755
index 0000000000..303f7534b7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509CertificateType.java
@@ -0,0 +1,31 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+public class X509CertificateType {
+
+    private byte[] encodedCertificate;
+
+    public byte[] getEncodedCertificate() {
+        return this.encodedCertificate;
+    }
+
+    public void setEncodedCertificate(byte[] encodedCertificate) {
+        this.encodedCertificate = encodedCertificate;
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509DataType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509DataType.java
new file mode 100755
index 0000000000..02d32556ed
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509DataType.java
@@ -0,0 +1,71 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for X509DataType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="X509DataType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence maxOccurs="unbounded">
+ *         &lt;choice>
+ *           &lt;element name="X509IssuerSerial" type="{http://www.w3.org/2000/09/xmldsig#}X509IssuerSerialType"/>
+ *           &lt;element name="X509SKI" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
+ *           &lt;element name="X509SubjectName" type="{http://www.w3.org/2001/XMLSchema}string"/>
+ *           &lt;element name="X509Certificate" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
+ *           &lt;element name="X509CRL" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
+ *           &lt;any/>
+ *         &lt;/choice>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class X509DataType {
+
+    protected List<Object> x509IssuerSerialOrX509SKIOrX509SubjectName = new ArrayList<Object>();
+
+    public void add(Object obj) {
+        this.x509IssuerSerialOrX509SKIOrX509SubjectName.add(obj);
+    }
+
+    public void remove(Object obj) {
+        this.x509IssuerSerialOrX509SKIOrX509SubjectName.remove(obj);
+    }
+
+    /**
+     * Gets the value of the x509IssuerSerialOrX509SKIOrX509SubjectName property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link org.w3c.dom.Element } {@link Object }
+     */
+    public List<Object> getDataObjects() {
+        return Collections.unmodifiableList(this.x509IssuerSerialOrX509SKIOrX509SubjectName);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509IssuerSerialType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509IssuerSerialType.java
new file mode 100755
index 0000000000..d137cfa77a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/X509IssuerSerialType.java
@@ -0,0 +1,82 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
+import java.math.BigInteger;
+
+/**
+ * <p>
+ * Java class for X509IssuerSerialType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="X509IssuerSerialType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element name="X509IssuerName" type="{http://www.w3.org/2001/XMLSchema}string"/>
+ *         &lt;element name="X509SerialNumber" type="{http://www.w3.org/2001/XMLSchema}integer"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class X509IssuerSerialType {
+
+    protected String x509IssuerName;
+    protected BigInteger x509SerialNumber;
+
+    /**
+     * Gets the value of the x509IssuerName property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getX509IssuerName() {
+        return x509IssuerName;
+    }
+
+    /**
+     * Sets the value of the x509IssuerName property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setX509IssuerName(String value) {
+        this.x509IssuerName = value;
+    }
+
+    /**
+     * Gets the value of the x509SerialNumber property.
+     *
+     * @return possible object is {@link BigInteger }
+     */
+    public BigInteger getX509SerialNumber() {
+        return x509SerialNumber;
+    }
+
+    /**
+     * Sets the value of the x509SerialNumber property.
+     *
+     * @param value allowed object is {@link BigInteger }
+     */
+    public void setX509SerialNumber(BigInteger value) {
+        this.x509SerialNumber = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/package-info.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/package-info.java
new file mode 100755
index 0000000000..73e4e41b5f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmldsig/package-info.java
@@ -0,0 +1,19 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmldsig;
+
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/AgreementMethodType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/AgreementMethodType.java
new file mode 100755
index 0000000000..fdba7503ef
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/AgreementMethodType.java
@@ -0,0 +1,87 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType;
+
+/**
+ * <p>
+ * Java class for AgreementMethodType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="AgreementMethodType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element name="KA-Nonce" type="{http://www.w3.org/2001/XMLSchema}base64Binary" minOccurs="0"/>
+ *         &lt;any/>
+ *         &lt;element name="OriginatorKeyInfo" type="{http://www.w3.org/2000/09/xmldsig#}KeyInfoType" minOccurs="0"/>
+ *         &lt;element name="RecipientKeyInfo" type="{http://www.w3.org/2000/09/xmldsig#}KeyInfoType" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Algorithm" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class AgreementMethodType {
+
+    protected String algorithm;
+
+    public static class AggrementMethod {
+
+        protected byte[] kANonce;
+        protected KeyInfoType originatorKeyInfo;
+        protected KeyInfoType recipientKeyInfo;
+
+        public AggrementMethod(byte[] kANonce, KeyInfoType originatorKeyInfo, KeyInfoType recipientKeyInfo) {
+            this.kANonce = kANonce;
+            this.originatorKeyInfo = originatorKeyInfo;
+            this.recipientKeyInfo = recipientKeyInfo;
+        }
+
+        public byte[] getkANonce() {
+            return kANonce;
+        }
+
+        public KeyInfoType getOriginatorKeyInfo() {
+            return originatorKeyInfo;
+        }
+
+        public KeyInfoType getRecipientKeyInfo() {
+            return recipientKeyInfo;
+        }
+    }
+
+    public AgreementMethodType(String algo) {
+        this.algorithm = algo;
+    }
+
+    /**
+     * Gets the value of the algorithm property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getAlgorithm() {
+        return algorithm;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/CipherDataType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/CipherDataType.java
new file mode 100755
index 0000000000..3cb220ccac
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/CipherDataType.java
@@ -0,0 +1,80 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+/**
+ * <p>
+ * Java class for CipherDataType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="CipherDataType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice>
+ *         &lt;element name="CipherValue" type="{http://www.w3.org/2001/XMLSchema}base64Binary"/>
+ *         &lt;element ref="{http://www.w3.org/2001/04/xmlenc#}CipherReference"/>
+ *       &lt;/choice>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class CipherDataType {
+
+    protected byte[] cipherValue;
+    protected CipherReferenceType cipherReference;
+
+    /**
+     * Gets the value of the cipherValue property.
+     *
+     * @return possible object is byte[]
+     */
+    public byte[] getCipherValue() {
+        return cipherValue;
+    }
+
+    /**
+     * Sets the value of the cipherValue property.
+     *
+     * @param value allowed object is byte[]
+     */
+    public void setCipherValue(byte[] value) {
+        this.cipherValue = ((byte[]) value);
+    }
+
+    /**
+     * Gets the value of the cipherReference property.
+     *
+     * @return possible object is {@link CipherReferenceType }
+     */
+    public CipherReferenceType getCipherReference() {
+        return cipherReference;
+    }
+
+    /**
+     * Sets the value of the cipherReference property.
+     *
+     * @param value allowed object is {@link CipherReferenceType }
+     */
+    public void setCipherReference(CipherReferenceType value) {
+        this.cipherReference = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/CipherReferenceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/CipherReferenceType.java
new file mode 100755
index 0000000000..2a2a9d84ad
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/CipherReferenceType.java
@@ -0,0 +1,78 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for CipherReferenceType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="CipherReferenceType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice>
+ *         &lt;element name="Transforms" type="{http://www.w3.org/2001/04/xmlenc#}TransformsType" minOccurs="0"/>
+ *       &lt;/choice>
+ *       &lt;attribute name="URI" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class CipherReferenceType {
+
+    protected TransformsType transforms;
+    protected URI uri;
+
+    public CipherReferenceType(URI uri) {
+
+    }
+
+    /**
+     * Gets the value of the transforms property.
+     *
+     * @return possible object is {@link TransformsType }
+     */
+    public TransformsType getTransforms() {
+        return transforms;
+    }
+
+    /**
+     * Sets the value of the transforms property.
+     *
+     * @param value allowed object is {@link TransformsType }
+     */
+    public void setTransforms(TransformsType value) {
+        this.transforms = value;
+    }
+
+    /**
+     * Gets the value of the uri property.
+     *
+     * @return possible object is {@link String }
+     */
+    public URI getURI() {
+        return uri;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedDataType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedDataType.java
new file mode 100755
index 0000000000..454b501a68
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedDataType.java
@@ -0,0 +1,38 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+/**
+ * <p>
+ * Java class for EncryptedDataType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EncryptedDataType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{http://www.w3.org/2001/04/xmlenc#}EncryptedType">
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class EncryptedDataType extends EncryptedType {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedKeyType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedKeyType.java
new file mode 100755
index 0000000000..e2b2c53376
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedKeyType.java
@@ -0,0 +1,102 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+/**
+ * <p>
+ * Java class for EncryptedKeyType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EncryptedKeyType">
+ *   &lt;complexContent>
+ *     &lt;extension base="{http://www.w3.org/2001/04/xmlenc#}EncryptedType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2001/04/xmlenc#}ReferenceList" minOccurs="0"/>
+ *         &lt;element name="CarriedKeyName" type="{http://www.w3.org/2001/XMLSchema}string" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Recipient" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *     &lt;/extension>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class EncryptedKeyType extends EncryptedType {
+
+    protected ReferenceList referenceList;
+    protected String carriedKeyName;
+    protected String recipient;
+
+    /**
+     * Gets the value of the referenceList property.
+     *
+     * @return possible object is {@link ReferenceList }
+     */
+    public ReferenceList getReferenceList() {
+        return referenceList;
+    }
+
+    /**
+     * Sets the value of the referenceList property.
+     *
+     * @param value allowed object is {@link ReferenceList }
+     */
+    public void setReferenceList(ReferenceList value) {
+        this.referenceList = value;
+    }
+
+    /**
+     * Gets the value of the carriedKeyName property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getCarriedKeyName() {
+        return carriedKeyName;
+    }
+
+    /**
+     * Sets the value of the carriedKeyName property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setCarriedKeyName(String value) {
+        this.carriedKeyName = value;
+    }
+
+    /**
+     * Gets the value of the recipient property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getRecipient() {
+        return recipient;
+    }
+
+    /**
+     * Sets the value of the recipient property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setRecipient(String value) {
+        this.recipient = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedType.java
new file mode 100755
index 0000000000..fecd4b0686
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptedType.java
@@ -0,0 +1,204 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType;
+
+/**
+ * <p>
+ * Java class for EncryptedType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EncryptedType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element name="EncryptionMethod" type="{http://www.w3.org/2001/04/xmlenc#}EncryptionMethodType"
+ * minOccurs="0"/>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}KeyInfo" minOccurs="0"/>
+ *         &lt;element ref="{http://www.w3.org/2001/04/xmlenc#}CipherData"/>
+ *         &lt;element ref="{http://www.w3.org/2001/04/xmlenc#}EncryptionProperties" minOccurs="0"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *       &lt;attribute name="Type" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="MimeType" type="{http://www.w3.org/2001/XMLSchema}string" />
+ *       &lt;attribute name="Encoding" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public abstract class EncryptedType {
+
+    protected EncryptionMethodType encryptionMethod;
+    protected KeyInfoType keyInfo;
+    protected CipherDataType cipherData;
+    protected EncryptionPropertiesType encryptionProperties;
+    protected String id;
+    protected String type;
+    protected String mimeType;
+    protected String encoding;
+
+    /**
+     * Gets the value of the encryptionMethod property.
+     *
+     * @return possible object is {@link EncryptionMethodType }
+     */
+    public EncryptionMethodType getEncryptionMethod() {
+        return encryptionMethod;
+    }
+
+    /**
+     * Sets the value of the encryptionMethod property.
+     *
+     * @param value allowed object is {@link EncryptionMethodType }
+     */
+    public void setEncryptionMethod(EncryptionMethodType value) {
+        this.encryptionMethod = value;
+    }
+
+    /**
+     * Gets the value of the keyInfo property.
+     *
+     * @return possible object is {@link KeyInfoType }
+     */
+    public KeyInfoType getKeyInfo() {
+        return keyInfo;
+    }
+
+    /**
+     * Sets the value of the keyInfo property.
+     *
+     * @param value allowed object is {@link KeyInfoType }
+     */
+    public void setKeyInfo(KeyInfoType value) {
+        this.keyInfo = value;
+    }
+
+    /**
+     * Gets the value of the cipherData property.
+     *
+     * @return possible object is {@link CipherDataType }
+     */
+    public CipherDataType getCipherData() {
+        return cipherData;
+    }
+
+    /**
+     * Sets the value of the cipherData property.
+     *
+     * @param value allowed object is {@link CipherDataType }
+     */
+    public void setCipherData(CipherDataType value) {
+        this.cipherData = value;
+    }
+
+    /**
+     * Gets the value of the encryptionProperties property.
+     *
+     * @return possible object is {@link EncryptionPropertiesType }
+     */
+    public EncryptionPropertiesType getEncryptionProperties() {
+        return encryptionProperties;
+    }
+
+    /**
+     * Sets the value of the encryptionProperties property.
+     *
+     * @param value allowed object is {@link EncryptionPropertiesType }
+     */
+    public void setEncryptionProperties(EncryptionPropertiesType value) {
+        this.encryptionProperties = value;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+
+    /**
+     * Gets the value of the type property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * Sets the value of the type property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setType(String value) {
+        this.type = value;
+    }
+
+    /**
+     * Gets the value of the mimeType property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getMimeType() {
+        return mimeType;
+    }
+
+    /**
+     * Sets the value of the mimeType property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setMimeType(String value) {
+        this.mimeType = value;
+    }
+
+    /**
+     * Gets the value of the encoding property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getEncoding() {
+        return encoding;
+    }
+
+    /**
+     * Sets the value of the encoding property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setEncoding(String value) {
+        this.encoding = value;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionMethodType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionMethodType.java
new file mode 100755
index 0000000000..0273ded9fb
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionMethodType.java
@@ -0,0 +1,89 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+import java.math.BigInteger;
+
+/**
+ * <p>
+ * Java class for EncryptionMethodType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EncryptionMethodType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element name="KeySize" type="{http://www.w3.org/2001/04/xmlenc#}KeySizeType" minOccurs="0"/>
+ *         &lt;element name="OAEPparams" type="{http://www.w3.org/2001/XMLSchema}base64Binary" minOccurs="0"/>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Algorithm" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class EncryptionMethodType {
+
+    protected String algorithm;
+
+    protected EncryptionMethod encryptionMethod;
+
+    public static class EncryptionMethod {
+
+        protected BigInteger keySize;
+        protected byte[] OAEPparams;
+
+        public EncryptionMethod(BigInteger bigInteger, byte[] oAEPparams) {
+            this.keySize = bigInteger;
+            OAEPparams = oAEPparams;
+        }
+
+        public BigInteger getKeySize() {
+            return keySize;
+        }
+
+        public byte[] getOAEPparams() {
+            return OAEPparams;
+        }
+    }
+
+    public EncryptionMethodType(String algo) {
+        this.algorithm = algo;
+    }
+
+    public EncryptionMethod getEncryptionMethod() {
+        return encryptionMethod;
+    }
+
+    public void setEncryptionMethod(EncryptionMethod encryptionMethod) {
+        this.encryptionMethod = encryptionMethod;
+    }
+
+    /**
+     * Gets the value of the algorithm property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getAlgorithm() {
+        return algorithm;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionPropertiesType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionPropertiesType.java
new file mode 100755
index 0000000000..a91e14dc00
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionPropertiesType.java
@@ -0,0 +1,84 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for EncryptionPropertiesType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EncryptionPropertiesType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2001/04/xmlenc#}EncryptionProperty" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class EncryptionPropertiesType {
+
+    protected List<EncryptionPropertyType> encryptionProperty = new ArrayList<EncryptionPropertyType>();
+    protected String id;
+
+    public void addEncryptionProperty(EncryptionPropertyType enc) {
+        this.encryptionProperty.add(enc);
+    }
+
+    public void removeEncryptionProperty(EncryptionPropertyType enc) {
+        this.encryptionProperty.remove(enc);
+    }
+
+    /**
+     * Gets the value of the encryptionProperty property.
+     *
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link EncryptionPropertyType }
+     */
+    public List<EncryptionPropertyType> getEncryptionProperty() {
+        return Collections.unmodifiableList(this.encryptionProperty);
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionPropertyType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionPropertyType.java
new file mode 100755
index 0000000000..7f1725e765
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/EncryptionPropertyType.java
@@ -0,0 +1,109 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+import javax.xml.namespace.QName;
+import java.net.URI;
+import java.util.Collections;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * <p>
+ * Java class for EncryptionPropertyType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="EncryptionPropertyType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice maxOccurs="unbounded">
+ *         &lt;any/>
+ *       &lt;/choice>
+ *       &lt;attribute name="Target" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *       &lt;attribute name="Id" type="{http://www.w3.org/2001/XMLSchema}ID" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class EncryptionPropertyType {
+
+    protected URI target;
+    protected String id;
+    private Map<QName, String> otherAttributes = new HashMap<QName, String>();
+
+    /**
+     * Gets the value of the target property.
+     *
+     * @return possible object is {@link URI }
+     */
+    public URI getTarget() {
+        return target;
+    }
+
+    /**
+     * Sets the value of the target property.
+     *
+     * @param value allowed object is {@link URI }
+     */
+    public void setTarget(URI value) {
+        this.target = value;
+    }
+
+    /**
+     * Gets the value of the id property.
+     *
+     * @return possible object is {@link String }
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the value of the id property.
+     *
+     * @param value allowed object is {@link String }
+     */
+    public void setId(String value) {
+        this.id = value;
+    }
+
+    public void addOtherAttribute(QName key, String val) {
+        this.otherAttributes.put(key, val);
+    }
+
+    public void addOtherAttributes(Map<QName, String> otherMap) {
+        this.otherAttributes.putAll(otherMap);
+    }
+
+    public void removeOtherAttribute(QName key) {
+        this.otherAttributes.remove(key);
+    }
+
+    /**
+     * Gets a map that contains attributes that aren't bound to any typed property on this class.
+     *
+     * @return always non-null
+     */
+    public Map<QName, String> getOtherAttributes() {
+        return Collections.unmodifiableMap(otherAttributes);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/ReferenceList.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/ReferenceList.java
new file mode 100755
index 0000000000..6c80a60a92
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/ReferenceList.java
@@ -0,0 +1,82 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for anonymous complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType>
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;choice maxOccurs="unbounded">
+ *         &lt;element name="DataReference" type="{http://www.w3.org/2001/04/xmlenc#}ReferenceType"/>
+ *         &lt;element name="KeyReference" type="{http://www.w3.org/2001/04/xmlenc#}ReferenceType"/>
+ *       &lt;/choice>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ReferenceList {
+
+    public static class References {
+
+        private ReferenceType dataReference;
+        private ReferenceType keyReference;
+
+        public References(ReferenceType dataReference, ReferenceType keyReference) {
+            this.dataReference = dataReference;
+            this.keyReference = keyReference;
+        }
+
+        public ReferenceType getDataReference() {
+            return dataReference;
+        }
+
+        public ReferenceType getKeyReference() {
+            return keyReference;
+        }
+    }
+
+    private List<References> referencesList = new ArrayList<References>();
+
+    public void add(References ref) {
+        this.referencesList.add(ref);
+    }
+
+    public void addAll(List<References> refs) {
+        this.referencesList.addAll(refs);
+    }
+
+    public void remove(References ref) {
+        this.referencesList.remove(ref);
+    }
+
+    public List<References> getReferences() {
+        return Collections.unmodifiableList(referencesList);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/ReferenceType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/ReferenceType.java
new file mode 100755
index 0000000000..6cb791eb6c
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/ReferenceType.java
@@ -0,0 +1,68 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+import java.net.URI;
+
+/**
+ * <p>
+ * Java class for ReferenceType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="ReferenceType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;any/>
+ *       &lt;/sequence>
+ *       &lt;attribute name="URI" use="required" type="{http://www.w3.org/2001/XMLSchema}anyURI" />
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class ReferenceType {
+
+    protected URI uri;
+
+    public Object reference;
+
+    public ReferenceType(URI uri) {
+        this.uri = uri;
+    }
+
+    public Object getReference() {
+        return reference;
+    }
+
+    public void setReference(Object reference) {
+        this.reference = reference;
+    }
+
+    /**
+     * Gets the value of the uri property.
+     *
+     * @return possible object is {@link URI }
+     */
+    public URI getURI() {
+        return uri;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/TransformsType.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/TransformsType.java
new file mode 100755
index 0000000000..19c3f544c5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/TransformsType.java
@@ -0,0 +1,69 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
+import org.keycloak.dom.xmlsec.w3.xmldsig.TransformType;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * <p>
+ * Java class for TransformsType complex type.
+ *
+ * <p>
+ * The following schema fragment specifies the expected content contained within this class.
+ *
+ * <pre>
+ * &lt;complexType name="TransformsType">
+ *   &lt;complexContent>
+ *     &lt;restriction base="{http://www.w3.org/2001/XMLSchema}anyType">
+ *       &lt;sequence>
+ *         &lt;element ref="{http://www.w3.org/2000/09/xmldsig#}Transform" maxOccurs="unbounded"/>
+ *       &lt;/sequence>
+ *     &lt;/restriction>
+ *   &lt;/complexContent>
+ * &lt;/complexType>
+ * </pre>
+ */
+public class TransformsType {
+
+    protected List<TransformType> transform = new ArrayList<TransformType>();
+
+    public void add(TransformType tt) {
+        this.transform.add(tt);
+    }
+
+    public void addAll(List<TransformType> ttlist) {
+        this.transform.addAll(ttlist);
+    }
+
+    public void remove(TransformType tt) {
+        this.transform.remove(tt);
+    }
+
+    /**
+     * Gets the value of the transform property.
+     * <p>
+     * Objects of the following type(s) are allowed in the list {@link TransformType }
+     */
+    public List<TransformType> getTransform() {
+        return Collections.unmodifiableList(this.transform);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/package-info.java b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/package-info.java
new file mode 100755
index 0000000000..58e88e0a0d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/dom/xmlsec/w3/xmlenc/package-info.java
@@ -0,0 +1,19 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.dom.xmlsec.w3.xmlenc;
+
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/DefaultPicketLinkLogger.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/DefaultPicketLinkLogger.java
new file mode 100755
index 0000000000..6872f8056b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/DefaultPicketLinkLogger.java
@@ -0,0 +1,2386 @@
+/*
+ *JBoss, Home of Professional Open Source.
+ *Copyright 2012, Red Hat, Inc., and individual contributors
+ *as indicated by the @author tags. See the copyright.txt file in the
+ *distribution for a full listing of individual contributors.
+ *
+ *This is free software; you can redistribute it and/or modify it
+ *under the terms of the GNU Lesser General Public License as
+ *published by the Free Software Foundation; either version 2.1 of
+ *the License, or (at your option) any later version.
+ *
+ *This software is distributed in the hope that it will be useful,
+ *but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ *Lesser General Public License for more details.
+ *
+ *You should have received a copy of the GNU Lesser General Public
+ *License along with this software; if not, write to the Free
+ *Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ *02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+
+package org.keycloak.saml.common;
+
+import org.jboss.logging.Logger;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.exceptions.TrustKeyConfigurationException;
+import org.keycloak.saml.common.exceptions.TrustKeyProcessingException;
+import org.keycloak.saml.common.exceptions.fed.AssertionExpiredException;
+import org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException;
+import org.keycloak.saml.common.exceptions.fed.IssuerNotTrustedException;
+import org.keycloak.saml.common.exceptions.fed.SignatureValidationException;
+import org.keycloak.saml.common.exceptions.fed.WSTrustException;
+import org.w3c.dom.Element;
+
+import javax.security.auth.login.LoginException;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.stream.Location;
+import javax.xml.ws.WebServiceException;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+/**
+ *@author <a href="mailto:psilva@redhat.com">Pedro Silva</a>
+ *
+ */
+
+/**@author <a href="mailto:psilva@redhat.com">Pedro Silva</a> */
+public class DefaultPicketLinkLogger implements PicketLinkLogger {
+
+    private Logger logger = Logger.getLogger(PicketLinkLogger.class.getPackage().getName());
+
+    DefaultPicketLinkLogger() {
+
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#info(java.lang.String)
+     */
+    @Override
+    public void info(String message) {
+        if (logger.isInfoEnabled()) {
+            logger.info(message);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#debug(java.lang.String)
+     */
+    @Override
+    public void debug(String message) {
+        if (logger.isDebugEnabled()) {
+            logger.debug(message);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#trace(java.lang.String)
+     */
+    @Override
+    public void trace(String message) {
+        if (logger.isTraceEnabled()) {
+            logger.trace(message);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     * @see org.picketlink.identity.federation.PicketLinkLogger#trace(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public void trace(String message, Throwable t) {
+        if (logger.isTraceEnabled()) {
+            logger.trace(message, t);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#trace(java.lang.Throwable)
+     */
+    @Override
+    public void trace(Throwable t) {
+        if (logger.isTraceEnabled()) {
+            logger.trace(t.getMessage(), t);
+        }
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#error(java.lang.Throwable)
+     */
+    @Override
+    public void error(Throwable t) {
+        logger.error("Unexpected error", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#nullArgument(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException nullArgumentError(String argument) {
+        return new IllegalArgumentException(ErrorCodes.NULL_ARGUMENT + argument);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#shouldNotBeTheSame(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException shouldNotBeTheSameError(String string) {
+        return new IllegalArgumentException(ErrorCodes.SHOULD_NOT_BE_THE_SAME
+                + "Only one of isSigningKey and isEncryptionKey should be true");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#resourceNotFound(java.lang.String)
+     */
+    @Override
+    public ProcessingException resourceNotFound(String resource) {
+        return new ProcessingException(ErrorCodes.RESOURCE_NOT_FOUND + resource + " could not be loaded");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#processingError(java.lang.Throwable)
+     */
+    @Override
+    public ProcessingException processingError(Throwable t) {
+        return new ProcessingException(ErrorCodes.PROCESSING_EXCEPTION, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unsupportedType(java.lang.String)
+     */
+    @Override
+    public RuntimeException unsupportedType(String name) {
+        return new RuntimeException(ErrorCodes.UNSUPPORTED_TYPE + name);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureError(java.lang.Throwable)
+     */
+    @Override
+    public XMLSignatureException signatureError(Throwable e) {
+        return new XMLSignatureException(ErrorCodes.SIGNING_PROCESS_FAILURE, e);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#nullValue(java.lang.String)
+     */
+    @Override
+    public RuntimeException nullValueError(String nullValue) {
+        return new RuntimeException(ErrorCodes.NULL_VALUE + nullValue);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#notImplementedYet()
+     */
+    @Override
+    public RuntimeException notImplementedYet(String feature) {
+        return new RuntimeException(ErrorCodes.NOT_IMPLEMENTED_YET + feature);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#auditNullAuditManager()
+     */
+    @Override
+    public IllegalStateException auditNullAuditManager() {
+        return new IllegalStateException(ErrorCodes.AUDIT_MANAGER_NULL);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#isInfoEnabled()
+     */
+    @Override
+    public boolean isInfoEnabled() {
+        return logger.isInfoEnabled();
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#auditEvent(java.lang.String)
+     */
+    @Override
+    public void auditEvent(String auditEvent) {
+        this.info(auditEvent);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#injectedValueMissing(java.lang.String)
+     */
+    @Override
+    public RuntimeException injectedValueMissing(String value) {
+        return new RuntimeException(ErrorCodes.INJECTED_VALUE_MISSING + value);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keystoreSetup()
+     */
+    @Override
+    public void keyStoreSetup() {
+        this.trace("getPublicKey::Keystore is null. so setting it up");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNullStore()
+     */
+    @Override
+    public IllegalStateException keyStoreNullStore() {
+        return new IllegalStateException(ErrorCodes.KEYSTOREKEYMGR_NULL_KEYSTORE);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNullPublicKeyForAlias(java.lang.String)
+     */
+    @Override
+    public void keyStoreNullPublicKeyForAlias(String alias) {
+        this.trace("No public key found for alias=" + alias);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public TrustKeyConfigurationException keyStoreConfigurationError(Throwable t) {
+        return new TrustKeyConfigurationException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreProcessingError(java.lang.Throwable)
+     */
+    @Override
+    public TrustKeyProcessingException keyStoreProcessingError(Throwable t) {
+        return new TrustKeyProcessingException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreMissingDomainAlias(java.lang.String)
+     */
+    @Override
+    public IllegalStateException keyStoreMissingDomainAlias(String domain) {
+        return new IllegalStateException(ErrorCodes.KEYSTOREKEYMGR_DOMAIN_ALIAS_MISSING + domain);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNullSigningKeyPass()
+     */
+    @Override
+    public RuntimeException keyStoreNullSigningKeyPass() {
+        return new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_NULL_SIGNING_KEYPASS);
+    }
+
+    @Override
+    public RuntimeException keyStoreNullEncryptionKeyPass() {
+        return new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_NULL_ENCRYPTION_KEYPASS);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNotLocated(java.lang.String)
+     */
+    @Override
+    public RuntimeException keyStoreNotLocated(String keyStore) {
+        return new RuntimeException(ErrorCodes.KEYSTOREKEYMGR_KEYSTORE_NOT_LOCATED + keyStore);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#keyStoreNullAlias()
+     */
+    @Override
+    public IllegalStateException keyStoreNullAlias() {
+        return new IllegalStateException(ErrorCodes.KEYSTOREKEYMGR_NULL_ALIAS);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserUnknownEndElement(java.lang.String)
+     */
+    @Override
+    public RuntimeException parserUnknownEndElement(String endElementName) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_END_ELEMENT + endElementName);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parseUnknownTag(java.lang.String, javax.xml.stream.Location)
+     */
+    @Override
+    public RuntimeException parserUnknownTag(String tag, Location location) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_TAG + tag + "::location=" + location);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parseRequiredAttribute(java.lang.String)
+     */
+    @Override
+    public ParsingException parserRequiredAttribute(String string) {
+        return new ParsingException(ErrorCodes.REQD_ATTRIBUTE + string);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserUnknownStartElement(java.lang.String,
+     *javax.xml.stream.Location)
+     */
+    @Override
+    public RuntimeException parserUnknownStartElement(String elementName, Location location) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_START_ELEMENT + elementName + "::location=" + location);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserNullStartElement()
+     */
+    @Override
+    public IllegalStateException parserNullStartElement() {
+        return new IllegalStateException(ErrorCodes.NULL_START_ELEMENT);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserUnknownXSI(java.lang.String)
+     */
+    @Override
+    public ParsingException parserUnknownXSI(String xsiTypeValue) {
+        return new ParsingException(ErrorCodes.UNKNOWN_XSI + xsiTypeValue);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserExpectedEndTag(java.lang.String)
+     */
+    @Override
+    public ParsingException parserExpectedEndTag(String tagName) {
+        return new ParsingException(ErrorCodes.EXPECTED_END_TAG + "RequestAbstract or XACMLAuthzDecisionQuery");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserException(java.lang.Exception)
+     */
+    @Override
+    public ParsingException parserException(Throwable t) {
+        return new ParsingException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserExpectedTextValue(java.lang.String)
+     */
+    @Override
+    public ParsingException parserExpectedTextValue(String string) {
+        return new ParsingException(ErrorCodes.EXPECTED_TEXT_VALUE + "SigningAlias");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserExpectedXSI(java.lang.String)
+     */
+    @Override
+    public RuntimeException parserExpectedXSI(String expectedXsi) {
+        return new RuntimeException(expectedXsi);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserExpectedTag(java.lang.String, java.lang.String)
+     */
+    @Override
+    public RuntimeException parserExpectedTag(String tag, String foundElementTag) {
+        return new RuntimeException(ErrorCodes.EXPECTED_TAG + tag + ">.  Found <" + foundElementTag + ">");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserFailed()
+     */
+    @Override
+    public RuntimeException parserFailed(String elementName) {
+        return new RuntimeException(ErrorCodes.FAILED_PARSING + elementName);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserUnableParsingNullToken()
+     */
+    @Override
+    public ParsingException parserUnableParsingNullToken() {
+        return new ParsingException(ErrorCodes.UNABLE_PARSING_NULL_TOKEN);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#parserError(java.lang.Exception)
+     */
+    @Override
+    public ParsingException parserError(Throwable t) {
+        return new ParsingException(ErrorCodes.PARSING_ERROR + t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#pdpMessageProcessingError(java.lang.Exception)
+     */
+    @Override
+    public RuntimeException xacmlPDPMessageProcessingError(Throwable t) {
+        return new RuntimeException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#fileNotLocated(java.lang.String)
+     */
+    @Override
+    public IllegalStateException fileNotLocated(String policyConfigFileName) {
+        return new IllegalStateException(ErrorCodes.FILE_NOT_LOCATED + policyConfigFileName);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#optionNotSet(java.lang.String)
+     */
+    @Override
+    public IllegalStateException optionNotSet(String option) {
+        return new IllegalStateException(ErrorCodes.OPTION_NOT_SET + option);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#securityTokenRegistryNotSpecified()
+     */
+    @Override
+    public void stsTokenRegistryNotSpecified() {
+        this.warn("Security Token registry option not specified: Issued Tokens will not be persisted!");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#securityTokenRegistryInvalidType(java.lang.String)
+     */
+    @Override
+    public void stsTokenRegistryInvalidType(String tokenRegistryOption) {
+        logger.warn(tokenRegistryOption + " is not an instance of SecurityTokenRegistry - using default registry");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#securityTokenRegistryInstantiationError()
+     */
+    @Override
+    public void stsTokenRegistryInstantiationError() {
+        logger.warn("Error instantiating token registry class - using default registry");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#revocationRegistryNotSpecified()
+     */
+    @Override
+    public void stsRevocationRegistryNotSpecified() {
+        this.debug("Revocation registry option not specified: cancelled ids will not be persisted!");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#revocationRegistryInvalidType(java.lang.String)
+     */
+    @Override
+    public void stsRevocationRegistryInvalidType(String registryOption) {
+        logger.warn(registryOption + " is not an instance of RevocationRegistry - using default registry");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#revocationRegistryInstantiationError()
+     */
+    @Override
+    public void stsRevocationRegistryInstantiationError() {
+        logger.warn("Error instantiating revocation registry class - using default registry");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#assertionExpiredError()
+     */
+    @Override
+    public ProcessingException samlAssertionExpiredError() {
+        return new ProcessingException(ErrorCodes.EXPIRED_ASSERTION);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#assertionInvalidError()
+     */
+    @Override
+    public ProcessingException assertionInvalidError() {
+        return new ProcessingException(ErrorCodes.INVALID_ASSERTION);
+    }
+
+    @Override
+    public RuntimeException writerUnknownTypeError(String name) {
+        return new RuntimeException(ErrorCodes.WRITER_UNKNOWN_TYPE + name);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#writerNullValueError(java.lang.String)
+     */
+    @Override
+    public ProcessingException writerNullValueError(String value) {
+        return new ProcessingException(ErrorCodes.WRITER_NULL_VALUE + value);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#writerUnsupportedAttributeValueError(java.lang.String)
+     */
+    @Override
+    public RuntimeException writerUnsupportedAttributeValueError(String value) {
+        return new RuntimeException(ErrorCodes.WRITER_UNSUPPORTED_ATTRIB_VALUE + value);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#issuerInfoMissingStatusCodeError()
+     */
+    @Override
+    public IllegalArgumentException issuerInfoMissingStatusCodeError() {
+        return new IllegalArgumentException(ErrorCodes.ISSUER_INFO_MISSING_STATUS_CODE);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#classNotLoadedError(java.lang.String)
+     */
+    @Override
+    public ProcessingException classNotLoadedError(String fqn) {
+        return new ProcessingException(ErrorCodes.CLASS_NOT_LOADED + fqn);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#couldNotCreateInstance(java.lang.String, java.lang.Exception)
+     */
+    @Override
+    public ProcessingException couldNotCreateInstance(String fqn, Throwable t) {
+        return new ProcessingException(ErrorCodes.CANNOT_CREATE_INSTANCE + fqn, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#systemPropertyMissingError(java.lang.String)
+     */
+    @Override
+    public RuntimeException systemPropertyMissingError(String property) {
+        return new RuntimeException(ErrorCodes.SYSTEM_PROPERTY_MISSING + property);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#metaDataIdentityProviderLoadingError(java.lang.Exception)
+     */
+    @Override
+    public void samlMetaDataIdentityProviderLoadingError(Throwable t) {
+        logger.error("Exception loading the identity providers:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#metaDataServiceProviderLoadingError(java.lang.Throwable)
+     */
+    @Override
+    public void samlMetaDataServiceProviderLoadingError(Throwable t) {
+        logger.error("Exception loading the service providers:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureAssertionValidationError(java.lang.Exception)
+     */
+    @Override
+    public void signatureAssertionValidationError(Throwable t) {
+        logger.error("Cannot validate signature of assertion", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#assertionExpired(java.lang.String)
+     */
+    @Override
+    public void samlAssertionExpired(String id) {
+        this.info("Assertion has expired with id=" + id);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unknownObjectType(java.lang.Object)
+     */
+    @Override
+    public RuntimeException unknownObjectType(Object attrValue) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_OBJECT_TYPE + attrValue);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#configurationError(javax.xml.parsers.ParserConfigurationException)
+     */
+    @Override
+    public ConfigurationException configurationError(Throwable t) {
+        return new ConfigurationException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureUnknownAlgo(java.lang.String)
+     */
+    @Override
+    public RuntimeException signatureUnknownAlgo(String algo) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_SIG_ALGO + algo);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#invalidArgumentError(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException invalidArgumentError(String message) {
+        return new IllegalArgumentException(message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsNoTokenProviderError(java.lang.String)
+     */
+    @Override
+    public ProcessingException stsNoTokenProviderError(String configuration, String protocolContext) {
+        return new ProcessingException(ErrorCodes.STS_NO_TOKEN_PROVIDER + configuration + "][ProtoCtx=" + protocolContext + "]");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsConfigurationFileNotFoundTCL(java.lang.String)
+     */
+    @Override
+    public void stsConfigurationFileNotFoundTCL(String fileName) {
+        logger.warn(fileName + " configuration file not found using TCCL");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsConfigurationFileNotFoundClassLoader(java.lang.String)
+     */
+    @Override
+    public void stsConfigurationFileNotFoundClassLoader(String fileName) {
+        logger.warn(fileName + " configuration file not found using class loader");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsUsingDefaultConfiguration(java.lang.String)
+     */
+    @Override
+    public void stsUsingDefaultConfiguration(String fileName) {
+        logger.warn(fileName + " configuration file not found using URL. Using default configuration values");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsConfigurationFileLoaded(java.lang.String)
+     */
+    @Override
+    public void stsConfigurationFileLoaded(String fileName) {
+        this.info(fileName + " configuration file loaded");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsConfigurationFileParsingError(java.lang.Throwable)
+     */
+    @Override
+    public ConfigurationException stsConfigurationFileParsingError(Throwable t) {
+        return new ConfigurationException(ErrorCodes.STS_CONFIGURATION_FILE_PARSING_ERROR, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#notSerializableError(java.lang.String)
+     */
+    @Override
+    public IOException notSerializableError(String message) {
+        return new IOException(ErrorCodes.NOT_SERIALIZABLE + message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#trustKeyCreationError()
+     */
+    @Override
+    public void trustKeyManagerCreationError(Throwable t) {
+        logger.error("Exception creating TrustKeyManager:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#error(java.lang.String)
+     */
+    @Override
+    public void error(String message) {
+        logger.error(message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#couldNotGetXMLSchema(java.lang.Throwable)
+     */
+    @Override
+    public void xmlCouldNotGetSchema(Throwable t) {
+        logger.error("Cannot get schema", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#isTraceEnabled()
+     */
+    @Override
+    public boolean isTraceEnabled() {
+        return logger.isTraceEnabled();
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#isDebugEnabled()
+     */
+    @Override
+    public boolean isDebugEnabled() {
+        return logger.isDebugEnabled();
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jceProviderCouldNotBeLoaded(java.lang.Throwable)
+     */
+    @Override
+    public void jceProviderCouldNotBeLoaded(String name, Throwable t) {
+        logger.debug("The provider " + name + " could not be added: ", t);
+        logger.debug("Check addJceProvider method of org.picketlink.identity.federation.core.util.ProvidersUtil for more info.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#writerInvalidKeyInfoNullContent()
+     */
+    @Override
+    public ProcessingException writerInvalidKeyInfoNullContentError() {
+        return new ProcessingException(ErrorCodes.WRITER_INVALID_KEYINFO_NULL_CONTENT);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#notEqualError(java.lang.String, java.lang.String)
+     */
+    @Override
+    public RuntimeException notEqualError(String first, String second) {
+        return new RuntimeException(ErrorCodes.NOT_EQUAL + first + " and " + second);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wrongTypeError(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException wrongTypeError(String message) {
+        return new IllegalArgumentException(ErrorCodes.WRONG_TYPE + "xmlSource should be a stax source");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#encryptUnknownAlgoError(java.lang.String)
+     */
+    @Override
+    public RuntimeException encryptUnknownAlgoError(String certAlgo) {
+        return new RuntimeException(ErrorCodes.UNKNOWN_ENC_ALGO + certAlgo);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#domMissingDocElementError(java.lang.String)
+     */
+    @Override
+    public IllegalStateException domMissingDocElementError(String element) {
+        return new IllegalStateException(ErrorCodes.DOM_MISSING_DOC_ELEMENT + element);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#domMissingElementError(java.lang.String)
+     */
+    @Override
+    public IllegalStateException domMissingElementError(String element) {
+        return new IllegalStateException(ErrorCodes.DOM_MISSING_ELEMENT + element);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSInvalidTokenRequestError()
+     */
+    @Override
+    public WebServiceException stsWSInvalidTokenRequestError() {
+        return new WebServiceException(ErrorCodes.STS_INVALID_TOKEN_REQUEST);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSError(java.lang.Throwable)
+     */
+    @Override
+    public WebServiceException stsWSError(Throwable t) {
+        return new WebServiceException("Security Token Service Exception", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public WebServiceException stsWSConfigurationError(Throwable t) {
+        return new WebServiceException(ErrorCodes.STS_CONFIGURATION_EXCEPTION, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSInvalidRequestTypeError(java.lang.String)
+     */
+    @Override
+    public WSTrustException stsWSInvalidRequestTypeError(String requestType) {
+        return new WSTrustException(ErrorCodes.STS_INVALID_REQUEST_TYPE + requestType);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSHandlingTokenRequestError(java.lang.Throwable)
+     */
+    @Override
+    public WebServiceException stsWSHandlingTokenRequestError(Throwable t) {
+        return new WebServiceException(ErrorCodes.STS_EXCEPTION_HANDLING_TOKEN_REQ + t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWSResponseWritingError(java.lang.Throwable)
+     */
+    @Override
+    public WebServiceException stsWSResponseWritingError(Throwable t) {
+        return new WebServiceException(ErrorCodes.STS_RESPONSE_WRITING_ERROR + t.getMessage(), t);
+    }
+
+    @Override
+    public RuntimeException stsUnableToConstructKeyManagerError(Throwable t) {
+        return new RuntimeException(ErrorCodes.STS_UNABLE_TO_CONSTRUCT_KEYMGR, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsPublicKeyError(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException stsPublicKeyError(String serviceName, Throwable t) {
+        return new RuntimeException(ErrorCodes.STS_PUBLIC_KEY_ERROR + serviceName, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsSigningKeyPairError(java.lang.Exception)
+     */
+    @Override
+    public RuntimeException stsSigningKeyPairError(Throwable t) {
+        return new RuntimeException(ErrorCodes.STS_SIGNING_KEYPAIR_ERROR, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsPublicKeyCertError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException stsPublicKeyCertError(Throwable t) {
+        return new RuntimeException(ErrorCodes.STS_PUBLIC_KEY_CERT, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#tokenTimeoutNotSpecified()
+     */
+    @Override
+    public void stsTokenTimeoutNotSpecified() {
+        this.warn("Lifetime has not been specified. Using the default timeout value.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsCombinedSecretKeyError(java.lang.Throwable)
+     */
+    @Override
+    public WSTrustException wsTrustCombinedSecretKeyError(Throwable t) {
+        return new WSTrustException(ErrorCodes.STS_COMBINED_SECRET_KEY_ERROR, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsClientPublicKeyError()
+     */
+    @Override
+    public WSTrustException wsTrustClientPublicKeyError() {
+        return new WSTrustException(ErrorCodes.STS_CLIENT_PUBLIC_KEY_ERROR);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsError(java.lang.Throwable)
+     */
+    @Override
+    public WSTrustException stsError(Throwable t) {
+        return new WSTrustException(t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureInvalidError(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public XMLSignatureException signatureInvalidError(String message, Throwable t) {
+        return new XMLSignatureException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsSecurityTokenSignatureNotVerified()
+     */
+    @Override
+    public void stsSecurityTokenSignatureNotVerified() {
+        this.warn("Security Token digital signature has NOT been verified. Either the STS has been configured"
+                + "not to sign tokens or the STS key pair has not been properly specified.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#encryptProcessError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException encryptProcessError(Throwable t) {
+        return new RuntimeException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsSecurityTokenShouldBeEncrypted()
+     */
+    @Override
+    public void stsSecurityTokenShouldBeEncrypted() {
+        logger.warn("Security token should be encrypted but no encrypting key could be found");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsUnableToDecodePasswordError(java.lang.String)
+     */
+    @Override
+    public RuntimeException unableToDecodePasswordError(String password) {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Unable to decode password:" + password);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#couldNotLoadProperties(java.lang.String)
+     */
+    @Override
+    public IllegalStateException couldNotLoadProperties(String configFile) {
+        return new IllegalStateException(ErrorCodes.PROCESSING_EXCEPTION + "Could not load properties from " + configFile);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsKeyInfoTypeCreationError(java.lang.Throwable)
+     */
+    @Override
+    public WSTrustException stsKeyInfoTypeCreationError(Throwable t) {
+        return new WSTrustException(ErrorCodes.PROCESSING_EXCEPTION + "Error creating KeyInfoType", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsSecretKeyNotEncrypted()
+     */
+    @Override
+    public void stsSecretKeyNotEncrypted() {
+        logger.warn("Secret key could not be encrypted because the endpoint's PKC has not been specified");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authCouldNotIssueSAMLToken()
+     */
+    @Override
+    public LoginException authCouldNotIssueSAMLToken() {
+        return new LoginException(ErrorCodes.PROCESSING_EXCEPTION + "Could not issue a SAML Security Token");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authLoginError(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authLoginError(Throwable t) {
+        LoginException loginException = new LoginException("Error during login/authentication");
+
+        loginException.initCause(t);
+
+        return loginException;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authCouldNotCreateWSTrustClient(java.lang.Throwable)
+     */
+    @Override
+    public IllegalStateException authCouldNotCreateWSTrustClient(Throwable t) {
+        return new IllegalStateException(ErrorCodes.PROCESSING_EXCEPTION + "Could not create WSTrustClient:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionWithoutExpiration(java.lang.String)
+     */
+    @Override
+    public void samlAssertionWithoutExpiration(String id) {
+        logger.warn("SAML Assertion has been found to have no expiration: ID = " + id);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authCouldNotValidateSAMLToken(org.w3c.dom.Element)
+     */
+    @Override
+    public LoginException authCouldNotValidateSAMLToken(Element token) {
+        return new LoginException(ErrorCodes.PROCESSING_EXCEPTION + "Could not validate the SAML Security Token :" + token);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authCouldNotLocateSecurityToken()
+     */
+    @Override
+    public LoginException authCouldNotLocateSecurityToken() {
+        return new LoginException(ErrorCodes.NULL_VALUE + "Could not locate a Security Token from the callback.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustNullCancelTargetError()
+     */
+    @Override
+    public ProcessingException wsTrustNullCancelTargetError() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Invalid cancel request: missing required CancelTarget");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#saml11MarshallError(java.lang.Throwable)
+     */
+    @Override
+    public ProcessingException samlAssertionMarshallError(Throwable t) {
+        return new ProcessingException(ErrorCodes.PROCESSING_EXCEPTION + "Failed to marshall assertion", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustNullRenewTargetError()
+     */
+    @Override
+    public ProcessingException wsTrustNullRenewTargetError() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Invalid renew request: missing required RenewTarget");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#saml11UnmarshallError(java.lang.Throwable)
+     */
+    @Override
+    public ProcessingException samlAssertionUnmarshallError(Throwable t) {
+        return new ProcessingException(ErrorCodes.PROCESSING_EXCEPTION + "Error unmarshalling assertion", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlAssertionRevokedCouldNotRenew()
+     */
+    @Override
+    public ProcessingException samlAssertionRevokedCouldNotRenew(String id) {
+        return new ProcessingException(ErrorCodes.ASSERTION_RENEWAL_EXCEPTION + "SAMLV1.1 Assertion with id " + id
+                + " has been canceled and cannot be renewed");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustNullValidationTargetError()
+     */
+    @Override
+    public ProcessingException wsTrustNullValidationTargetError() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Bad validate request: missing required ValidateTarget");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsWrongAttributeProviderTypeNotInstalled(java.lang.String)
+     */
+    @Override
+    public void stsWrongAttributeProviderTypeNotInstalled(String attributeProviderClassName) {
+        logger.warn("Attribute provider not installed: " + attributeProviderClassName
+                + "is not an instance of SAML20TokenAttributeProvider");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#stsAttributeProviderInstationError(java.lang.Throwable)
+     */
+    @Override
+    public void attributeProviderInstationError(Throwable t) {
+        logger.warn("Error instantiating attribute provider: " + t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlAssertion(java.lang.String)
+     */
+    @Override
+    public void samlAssertion(String nodeAsString) {
+        trace("SAML Assertion Element=" + nodeAsString);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustUnableToGetDataTypeFactory(javax.xml.datatype.
+     *DatatypeConfigurationException)
+     */
+    @Override
+    public RuntimeException wsTrustUnableToGetDataTypeFactory(Throwable t) {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Unable to get DatatypeFactory instance", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#wsTrustValidationStatusCodeMissing()
+     */
+    @Override
+    public ProcessingException wsTrustValidationStatusCodeMissing() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Validation status code is missing");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#identityServerActiveSessionCount(int)
+     */
+    @Override
+    public void samlIdentityServerActiveSessionCount(int activeSessionCount) {
+        info("Active Session Count=" + activeSessionCount);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#identityServerSessionCreated(java.lang.String, int)
+     */
+    @Override
+    public void samlIdentityServerSessionCreated(String id, int activeSessionCount) {
+        trace("Session Created with id=" + id + "::active session count=" + activeSessionCount);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#identityServerSessionDestroyed(java.lang.String, int)
+     */
+    @Override
+    public void samlIdentityServerSessionDestroyed(String id, int activeSessionCount) {
+        trace("Session Destroyed with id=" + id + "::active session count=" + activeSessionCount);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unknowCredentialType(java.lang.String)
+     */
+    @Override
+    public RuntimeException unknowCredentialType(String name) {
+        return new RuntimeException(ErrorCodes.UNSUPPORTED_TYPE + "Unknown credential type:" + name);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerRoleGeneratorSetupError(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerRoleGeneratorSetupError(Throwable t) {
+        logger.error("Exception initializing role generator:", t);
+    }
+
+    @Override
+    public RuntimeException samlHandlerAssertionNotFound() {
+        return new RuntimeException(ErrorCodes.NULL_VALUE + "Assertion not found in the handler request");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerAuthnRequestIsNull()
+     */
+    @Override
+    public ProcessingException samlHandlerAuthnRequestIsNull() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "AuthnRequest is null");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerAuthenticationError(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerAuthenticationError(Throwable t) {
+        logger.error("Exception in processing authentication:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerNoAssertionFromIDP()
+     */
+    @Override
+    public IllegalArgumentException samlHandlerNoAssertionFromIDP() {
+        return new IllegalArgumentException(ErrorCodes.NULL_VALUE + "No assertions in reply from IDP");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerNullEncryptedAssertion()
+     */
+    @Override
+    public ProcessingException samlHandlerNullEncryptedAssertion() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Null encrypted assertion element");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerIDPAuthenticationFailedError()
+     */
+    @Override
+    public SecurityException samlHandlerIDPAuthenticationFailedError() {
+        return new SecurityException(ErrorCodes.IDP_AUTH_FAILED + "IDP forbid the user");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#assertionExpiredError(org.picketlink.identity.federation.core.saml
+     *.v2.exceptions.AssertionExpiredException)
+     */
+    @Override
+    public ProcessingException assertionExpiredError(AssertionExpiredException aee) {
+        return new ProcessingException(ErrorCodes.EXPIRED_ASSERTION + "Assertion has expired", aee);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unsupportedRoleType(java.lang.Object)
+     */
+    @Override
+    public RuntimeException unsupportedRoleType(Object attrValue) {
+        return new RuntimeException(ErrorCodes.UNSUPPORTED_TYPE + "Unknown role object type : " + attrValue);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerFailedInResponseToVerification(java.lang.String,
+     *java.lang.String)
+     */
+    @Override
+    public void samlHandlerFailedInResponseToVerification(String inResponseTo, String authnRequestId) {
+        trace("Verification of InResponseTo failed. InResponseTo from SAML response is " + inResponseTo
+                + ". Value of request Id from HTTP session is " + authnRequestId);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerFailedInResponseToVerificarionError()
+     */
+    @Override
+    public ProcessingException samlHandlerFailedInResponseToVerificarionError() {
+        return new ProcessingException(ErrorCodes.AUTHN_REQUEST_ID_VERIFICATION_FAILED);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerIssuerNotTrustedError(java.lang.String)
+     */
+    @Override
+    public IssuerNotTrustedException samlIssuerNotTrustedError(String issuer) {
+        return new IssuerNotTrustedException("Issuer not Trusted: " + issuer);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerIssuerNotTrustedError(java.lang.Throwable)
+     */
+    @Override
+    public IssuerNotTrustedException samlIssuerNotTrustedException(Throwable t) {
+        return new IssuerNotTrustedException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerTrustElementMissingError()
+     */
+    @Override
+    public ConfigurationException samlHandlerTrustElementMissingError() {
+        return new ConfigurationException(ErrorCodes.NULL_VALUE + "trust element missing");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerIdentityServerNotFound()
+     */
+    @Override
+    public ProcessingException samlHandlerIdentityServerNotFoundError() {
+        return new ProcessingException(ErrorCodes.NULL_VALUE + "Identity Server not found");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerPrincipalNotFoundError()
+     */
+    @Override
+    public ProcessingException samlHandlerPrincipalNotFoundError() {
+        return new ProcessingException(ErrorCodes.PRINCIPAL_NOT_FOUND);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerKeyPairNotFound()
+     */
+    @Override
+    public void samlHandlerKeyPairNotFound() {
+        trace("Key Pair cannot be found");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerKeyPairNotFoundError()
+     */
+    @Override
+    public ProcessingException samlHandlerKeyPairNotFoundError() {
+        return new ProcessingException("Key Pair cannot be found");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#samlHandlerErrorSigningRedirectBindingMessage(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerErrorSigningRedirectBindingMessage(Throwable t) {
+        logger.error("Error when trying to sign message for redirection", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#samlHandlerSigningRedirectBindingMessageError(org.picketlink.identity
+     *.federation.core.exceptions.ConfigurationException)
+     */
+    @Override
+    public RuntimeException samlHandlerSigningRedirectBindingMessageError(Throwable t) {
+        return new RuntimeException(t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#signatureValidationError()
+     */
+    @Override
+    public SignatureValidationException samlHandlerSignatureValidationFailed() {
+        return new SignatureValidationException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + "Signature Validation Failed");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerErrorValidatingSignature(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerErrorValidatingSignature(Throwable t) {
+        logger.error("Error validating signature:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerInvalidSignatureError()
+     */
+    @Override
+    public ProcessingException samlHandlerInvalidSignatureError() {
+        return new ProcessingException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + "Error validating signature.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerSignatureNorPresentError()
+     */
+    @Override
+    public ProcessingException samlHandlerSignatureNotPresentError() {
+        return new ProcessingException(ErrorCodes.INVALID_DIGITAL_SIGNATURE
+                + "Signature Validation failed. Signature is not present. Check if the IDP is supporting signatures.");
+    }
+
+    @Override
+    public ProcessingException samlHandlerSignatureValidationError(Throwable t) {
+        return new ProcessingException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + "Signature Validation failed", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerChainProcessingError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException samlHandlerChainProcessingError(Throwable t) {
+        return new RuntimeException("Error during processing the SAML Handler Chain.", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#trustKeyManagerMissing()
+     */
+    @Override
+    public TrustKeyConfigurationException trustKeyManagerMissing() {
+        return new TrustKeyConfigurationException(ErrorCodes.TRUST_MANAGER_MISSING);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlBase64DecodingError(java.lang.Throwable)
+     */
+    @Override
+    public void samlBase64DecodingError(Throwable t) {
+        error("Error in base64 decoding saml message: " + t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlParsingError(java.lang.Throwable)
+     */
+    @Override
+    public void samlParsingError(Throwable t) {
+        logger.error("Exception in parsing saml message:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#attributeManagerMappingContextNull()
+     */
+    @Override
+    public void mappingContextNull() {
+        logger.error("Mapping Context returned is null");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#attributeManagerError(java.lang.Throwable)
+     */
+    @Override
+    public void attributeManagerError(Throwable t) {
+        logger.error("Exception in attribute mapping:", t);
+    }
+
+    @Override
+    public void couldNotObtainSecurityContext() {
+        logger.error("Could not obtain security context.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authFailedToCreatePrincipal(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authFailedToCreatePrincipal(Throwable t) {
+        LoginException loginException = new LoginException(ErrorCodes.PROCESSING_EXCEPTION + "Failed to create principal: "
+                + t.getMessage());
+
+        loginException.initCause(t);
+
+        return loginException;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSharedCredentialIsNotSAMLCredential()
+     */
+    @Override
+    public LoginException authSharedCredentialIsNotSAMLCredential(String className) {
+        return new LoginException(ErrorCodes.WRONG_TYPE
+                + "SAML2STSLoginModule: Shared credential is not a SAML credential. Got " + className);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSTSConfigFileNotFound()
+     */
+    @Override
+    public LoginException authSTSConfigFileNotFound() {
+        return new LoginException(ErrorCodes.SAML2STSLM_CONF_FILE_MISSING);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authErrorHandlingCallback(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authErrorHandlingCallback(Throwable t) {
+        LoginException loginException = new LoginException("Error handling callback.");
+
+        loginException.initCause(t);
+
+        return loginException;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authInvalidSAMLAssertionBySTS()
+     */
+    @Override
+    public LoginException authInvalidSAMLAssertionBySTS() {
+        return new LoginException(ErrorCodes.INVALID_ASSERTION
+                + "SAML2STSLoginModule: Supplied assertion was considered invalid by the STS");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authAssertionValidationValies(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authAssertionValidationError(Throwable t) {
+        LoginException loginException = new LoginException("Failed to validate assertion using STS");
+
+        loginException.initCause(t);
+
+        return loginException;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authFailedToParseSAMLAssertion(java.lang.Throwable)
+     */
+    @Override
+    public LoginException authFailedToParseSAMLAssertion(Throwable t) {
+        LoginException exception = new LoginException("PL00044: SAML2STSLoginModule: Failed to parse assertion element:"
+                + t.getMessage());
+        exception.initCause(t);
+        return exception;
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionPasingFailed(java.lang.Throwable)
+     */
+    @Override
+    public void samlAssertionPasingFailed(Throwable t) {
+        logger.error("SAML Assertion parsing failed", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authNullKeyStoreFromSecurityDomainError(java.lang.String)
+     */
+    @Override
+    public LoginException authNullKeyStoreFromSecurityDomainError(String name) {
+        return new LoginException(ErrorCodes.NULL_VALUE + "SAML2STSLoginModule: null truststore for " + name);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authNullKeyStoreAliasFromSecurityDomain(java.lang.String)
+     */
+    @Override
+    public LoginException authNullKeyStoreAliasFromSecurityDomainError(String name) {
+        return new LoginException(ErrorCodes.NULL_VALUE + "SAML2STSLoginModule: null KeyStoreAlias for " + name
+                + "; set 'KeyStoreAlias' in '" + name + "' security domain configuration");
+    }
+
+    @Override
+    public LoginException authNoCertificateFoundForAliasError(String alias, String name) {
+        return new LoginException(ErrorCodes.NULL_VALUE + "No certificate found for alias '" + alias + "' in the '" + name
+                + "' security domain");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLInvalidSignature()
+     */
+    @Override
+    public LoginException authSAMLInvalidSignatureError() {
+        return new LoginException(ErrorCodes.INVALID_DIGITAL_SIGNATURE + "SAML2STSLoginModule: "
+                + WSTrustConstants.STATUS_CODE_INVALID + " : invalid SAML V2.0 assertion signature");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionExpiredError()
+     */
+    @Override
+    public LoginException authSAMLAssertionExpiredError() {
+        return new LoginException(ErrorCodes.EXPIRED_ASSERTION + "SAML2STSLoginModule: " + WSTrustConstants.STATUS_CODE_INVALID
+                + "::assertion expired or used before its lifetime period");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionIssuingFailed(java.lang.Throwable)
+     */
+    @Override
+    public void authSAMLAssertionIssuingFailed(Throwable t) {
+        logger.error("Unable to issue assertion", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToCreateBinaryToken(java.lang.Throwable)
+     */
+    @Override
+    public void jbossWSUnableToCreateBinaryToken(Throwable t) {
+        logger.error("Unable to create binary token", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToCreateSecurityToken()
+     */
+    @Override
+    public void jbossWSUnableToCreateSecurityToken() {
+        logger.warn("Was not able to create security token. Just sending message without binary token");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToWriteSOAPMessage(java.lang.Exception)
+     */
+    @Override
+    public void jbossWSUnableToWriteSOAPMessage(Throwable t) {
+        logger.error("Exception writing SOAP Message", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToLoadJBossWSSEConfigError()
+     */
+    @Override
+    public RuntimeException jbossWSUnableToLoadJBossWSSEConfigError() {
+        return new RuntimeException(ErrorCodes.RESOURCE_NOT_FOUND + "unable to load jboss-wsse.xml");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSAuthorizationFailed()
+     */
+    @Override
+    public RuntimeException jbossWSAuthorizationFailed() {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Authorization Failed");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSErrorGettingOperationName(java.lang.Throwable)
+     */
+    @Override
+    public void jbossWSErrorGettingOperationName(Throwable t) {
+        logger.error("Exception using backup method to get op name=", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLCredentialNotAvailable()
+     */
+    @Override
+    public LoginException authSAMLCredentialNotAvailable() {
+        return new LoginException(ErrorCodes.NULL_VALUE + "SamlCredential is not available in subject");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unableToInstantiateHandler(java.lang.String,
+     *java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException authUnableToInstantiateHandler(String token, Throwable t) {
+        return new RuntimeException(ErrorCodes.CANNOT_CREATE_INSTANCE + "Unable to instantiate handler:" + token, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToCreateSSLSocketFactory(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException jbossWSUnableToCreateSSLSocketFactory(Throwable t) {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Unable to create SSL Socket Factory:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUnableToFindSSLSocketFactory()
+     */
+    @Override
+    public RuntimeException jbossWSUnableToFindSSLSocketFactory() {
+        return new RuntimeException("We did not find SSL Socket Factory");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authUnableToGetIdentityFromSubject()
+     */
+    @Override
+    public RuntimeException authUnableToGetIdentityFromSubject() {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + "Unable to get the Identity from the subject.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authSAMLAssertionNullOrEmpty()
+     */
+    @Override
+    public RuntimeException authSAMLAssertionNullOrEmpty() {
+        return new RuntimeException("SAML Assertion is null or empty");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#jbossWSUncheckedAndRolesCannotBeTogether()
+     */
+    @Override
+    public ProcessingException jbossWSUncheckedAndRolesCannotBeTogether() {
+        return new ProcessingException(ErrorCodes.PROCESSING_EXCEPTION + "unchecked and role(s) cannot be together");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPHandlingSAML11Error(java.lang.Throwable)
+     */
+    @Override
+    public void samlIDPHandlingSAML11Error(Throwable t) {
+        logger.error("Exception handling saml 11 use case:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPValidationCheckFailed()
+     */
+    @Override
+    public GeneralSecurityException samlIDPValidationCheckFailed() {
+        return new GeneralSecurityException(ErrorCodes.VALIDATION_CHECK_FAILED);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPRequestProcessingError(java.lang.Throwable)
+     */
+    @Override
+    public void samlIDPRequestProcessingError(Throwable t) {
+        logger.error("Exception in processing request:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see
+     *org.picketlink.identity.federation.PicketLinkLogger#samlIDPUnableToSetParticipantStackUsingDefault(java.lang.Throwable)
+     */
+    @Override
+    public void samlIDPUnableToSetParticipantStackUsingDefault(Throwable t) {
+        logger.warn("Unable to set the Identity Participant Stack Class. Will just use the default");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public void samlHandlerConfigurationError(Throwable t) {
+        logger.error("Exception dealing with handler configuration:", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPSettingCanonicalizationMethod(java.lang.String)
+     */
+    @Override
+    public void samlIDPSettingCanonicalizationMethod(String canonicalizationMethod) {
+        logger.debug("Setting the CanonicalizationMethod on XMLSignatureUtil::" + canonicalizationMethod);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException samlIDPConfigurationError(Throwable t) {
+        return new RuntimeException(ErrorCodes.PROCESSING_EXCEPTION + t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#configurationFileMissing(java.lang.String)
+     */
+    @Override
+    public RuntimeException configurationFileMissing(String configFile) {
+        return new RuntimeException(ErrorCodes.IDP_WEBBROWSER_VALVE_CONF_FILE_MISSING + configFile);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIDPInstallingDefaultSTSConfig()
+     */
+    @Override
+    public void samlIDPInstallingDefaultSTSConfig() {
+        logger.info("Did not find picketlink-sts.xml. We will install default configuration");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#warn(java.lang.String)
+     */
+    @Override
+    public void warn(String message) {
+        logger.warn(message);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPFallingBackToLocalFormAuthentication()
+     */
+    @Override
+    public void samlSPFallingBackToLocalFormAuthentication() {
+        logger.error("Falling back on local Form Authentication if available");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#unableLocalAuthentication(java.lang.Throwable)
+     */
+    @Override
+    public IOException unableLocalAuthentication(Throwable t) {
+        return new IOException(ErrorCodes.UNABLE_LOCAL_AUTH, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPUnableToGetIDPDescriptorFromMetadata()
+     */
+    @Override
+    public void samlSPUnableToGetIDPDescriptorFromMetadata() {
+        logger.error("Unable to obtain the IDP SSO Descriptor from metadata");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPConfigurationError(java.lang.Throwable)
+     */
+    @Override
+    public RuntimeException samlSPConfigurationError(Throwable t) {
+        return new RuntimeException(t.getMessage(), t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPSettingCanonicalizationMethod(java.lang.String)
+     */
+    @Override
+    public void samlSPSettingCanonicalizationMethod(String canonicalizationMethod) {
+        logger.info("Service Provider is setting the CanonicalizationMethod on XMLSignatureUtil::" +  canonicalizationMethod);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPCouldNotDispatchToLogoutPage(java.lang.String)
+     */
+    @Override
+    public void samlSPCouldNotDispatchToLogoutPage(String logOutPage) {
+        logger.errorf("Cannot dispatch to the logout page: no request dispatcher" + logOutPage);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#usingLoggerImplementation(java.lang.String)
+     */
+    @Override
+    public void usingLoggerImplementation(String className) {
+        logger.debugf("Using logger implementation: " + className);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlResponseFromIDPParsingFailed()
+     */
+    @Override
+    public void samlResponseFromIDPParsingFailed() {
+        logger.error("Error parsing the response from the IDP. Check the strict post binding configuration on both IDP and SP side.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#auditSecurityDomainNotFound(java.lang.Throwable)
+     */
+    @Override
+    public ConfigurationException auditSecurityDomainNotFound(Throwable t) {
+        return new ConfigurationException(
+                "Could not find a security domain configuration. Check if it is defined in WEB-INF/jboss-web.xml or set the "
+                        + GeneralConstants.AUDIT_SECURITY_DOMAIN + " system property.", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#auditAuditManagerNotFound(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public ConfigurationException auditAuditManagerNotFound(String location, Throwable t) {
+        return new ConfigurationException("Could not find a audit manager configuration. Location: " + location, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlIssueInstantMissingError()
+     */
+    @Override
+    public IssueInstantMissingException samlIssueInstantMissingError() {
+        return new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPResponseNotCatalinaResponse()
+     */
+    @Override
+    public RuntimeException samlSPResponseNotCatalinaResponseError(Object response) {
+        return new RuntimeException(ErrorCodes.SERVICE_PROVIDER_NOT_CATALINA_RESPONSE + ". Received: " + response);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlLogoutError(java.lang.Throwable)
+     */
+    @Override
+    public void samlLogoutError(Throwable t) {
+        logger.error("Error during the logout.", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlErrorPageForwardError(java.lang.String, java.lang.Throwable)
+     */
+    @Override
+    public void samlErrorPageForwardError(String errorPage, Throwable t) {
+        logger.error("Error forwarding to the error page: " + errorPage);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPHandleRequestError(java.lang.Throwable)
+     */
+    @Override
+    public void samlSPHandleRequestError(Throwable t) {
+        logger.error("Service Provider could not handle the request.", t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSPProcessingExceptionError()
+     */
+    @Override
+    public IOException samlSPProcessingExceptionError(Throwable t) {
+        return new IOException(ErrorCodes.SERVICE_PROVIDER_SERVER_EXCEPTION, t);
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlInvalidProtocolBinding()
+     */
+    @Override
+    public IllegalArgumentException samlInvalidProtocolBinding() {
+        return new IllegalArgumentException("Invalid SAML Protocol Binding. Expected POST or REDIRECT.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlHandlerServiceProviderConfigNotFound()
+     */
+    @Override
+    public IllegalStateException samlHandlerServiceProviderConfigNotFound() {
+        return new IllegalStateException("Service Provider configuration not found. Check if the "
+                + GeneralConstants.CONFIGURATION + " parameter is defined in the handler chain config.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSecurityTokenAlreadyPersisted(java.lang.String)
+     */
+    @Override
+    public void samlSecurityTokenAlreadyPersisted(String id) {
+        warn("Security Token with id=" + id + " has already been persisted.");
+    }
+
+    /*
+     *(non-Javadoc)
+     *
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlSecurityTokenNotFoundInRegistry(java.lang.String)
+     */
+    @Override
+    public void samlSecurityTokenNotFoundInRegistry(String id) {
+        warn("Security Token with id=" + id + " was not found in the registry.");
+    }
+
+    /*(non-Javadoc)
+     *@see org.picketlink.identity.federation.PicketLinkLogger#samlMetaDataFailedToCreateCacheDuration(java.lang.String)
+     */
+    @Override
+    public IllegalArgumentException samlMetaDataFailedToCreateCacheDuration(String timeValue) {
+        return new IllegalArgumentException("Cache duration could not be created using '" + timeValue
+                + "'. This value must be an ISO-8601 period or a numeric value representing the duration in milliseconds.");
+    }
+
+    @Override
+    public ConfigurationException samlMetaDataNoIdentityProviderDefined() {
+        return new ConfigurationException("No configuration provided for the Identity Provider.");
+    }
+
+    @Override
+    public ConfigurationException samlMetaDataNoServiceProviderDefined() {
+        return new ConfigurationException("No configuration provided for the Service Provider.");
+    }
+
+    /*(non-Javadoc)
+     *@see org.picketlink.identity.federation.PicketLinkLogger#securityDomainNotFound()
+     */
+    @Override
+    public ConfigurationException securityDomainNotFound() {
+        return new ConfigurationException("The security domain name could not be found. Check your jboss-web.xml.");
+    }
+
+    /*(non-Javadoc)
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authenticationManagerError(org.picketlink.identity.federation.core.exceptions.ConfigurationException)
+     */
+    @Override
+    public void authenticationManagerError(ConfigurationException e) {
+        error("Error loading the AuthenticationManager.", e);
+    }
+
+    private void error(String msg, ConfigurationException e) {
+        logger.error(msg, e);
+    }
+
+    /*(non-Javadoc)
+     *@see org.picketlink.identity.federation.PicketLinkLogger#authorizationManagerError(org.picketlink.identity.federation.core.exceptions.ConfigurationException)
+     */
+    @Override
+    public void authorizationManagerError(ConfigurationException e) {
+        error("Error loading AuthorizationManager.", e);
+    }
+
+    public IllegalStateException jbdcInitializationError(Throwable throwable) {
+        return new IllegalStateException(throwable);
+    }
+
+    public RuntimeException errorUnmarshallingToken(Throwable e) {
+        return new RuntimeException(e);
+    }
+
+    public RuntimeException runtimeException(String msg, Throwable e) {
+        return new RuntimeException(msg, e);
+    }
+
+    public IllegalStateException datasourceIsNull() {
+        return new IllegalStateException();
+    }
+
+    @Override
+    public IllegalArgumentException cannotParseParameterValue(String parameter, Throwable e) {
+        return new IllegalArgumentException("Cannot parse: " + parameter , e);
+    }
+
+    @Override
+    public RuntimeException cannotGetFreeClientPoolKey(String key) {
+        return new RuntimeException("Cannot get free client pool key: " + key);
+    }
+
+    @Override
+    public RuntimeException cannotGetSTSConfigByKey(String key) {
+        return new RuntimeException("Cannot get STS config by key: " + key + ". The pool for given key has to be initialized first by calling STSClientPool.initialize method.");
+    }
+
+    @Override
+    public RuntimeException cannotGetUsedClientsByKey(String key) {
+        return new RuntimeException("Cannot get used clients by key: " + key);
+    }
+
+    @Override
+    public RuntimeException removingNonExistingClientFromUsedClientsByKey(String key) {
+        return new RuntimeException("removing non existing client from used clients by key: " + key);
+    }
+
+    @Override
+    public RuntimeException freePoolAlreadyContainsGivenKey(String key) {
+        return new RuntimeException("Free pool already contains given key: " + key);
+    }
+
+    @Override
+    public RuntimeException maximumNumberOfClientsReachedforPool(String max) {
+        return new RuntimeException("Pool reached miximum number of clients within the pool (" + max + ")");
+    }
+
+    @Override
+    public RuntimeException cannotSetMaxPoolSizeToNegative(String max) {
+        return new RuntimeException("Cannot set maximum STS client pool size to negative number (" + max + ")");
+    }
+
+    @Override
+    public RuntimeException parserFeatureNotSupported(String feature) {
+        return new RuntimeException("Parser feature " + feature + " not supported.");
+    }
+
+    @Override
+    public ProcessingException samlAssertionWrongAudience(String serviceURL) {
+        return new ProcessingException("Wrong audience [" + serviceURL + "].");
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/ErrorCodes.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/ErrorCodes.java
new file mode 100755
index 0000000000..70fc27d514
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/ErrorCodes.java
@@ -0,0 +1,206 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common;
+
+/**
+ * Error Codes for PicketLink https://docs.jboss.org/author/display/PLINK/PicketLink+Error+Codes
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Aug 4, 2011
+ */
+public interface ErrorCodes {
+
+    String ASSERTION_RENEWAL_EXCEPTION = "PL00103:Assertion Renewal Exception:";
+
+    String AUDIT_MANAGER_NULL = "PL00028: Audit Manager Is Not Set";
+
+    String AUTHENTICATOR_DOES_NOT_HANDLE_ENC = "PL00027: Authenticator does not handle encryption";
+
+    String AUTHN_REQUEST_ID_VERIFICATION_FAILED = "PL00104:Authn Request ID verification failed:";
+
+    String CLASS_NOT_LOADED = "PL00085: Class Not Loaded:";
+
+    String CANNOT_CREATE_INSTANCE = "PL00086: Cannot create instance of:";
+
+    String DOM_MISSING_DOC_ELEMENT = "PL00098: Missing Document Element:";
+
+    String DOM_MISSING_ELEMENT = "PL00099: Missing Element:";
+
+    String ENCRYPTION_PROCESS_FAILURE = "PL00101: Encryption Process Failure:";
+
+    String EXPIRED_ASSERTION = "PL00079: Assertion has expired:";
+
+    String EXPECTED_XSI = "PL00072: Parser: Expected xsi:type";
+
+    String EXPECTED_TAG = "PL00066: Parser : Expected start tag:";
+
+    String EXPECTED_TEXT_VALUE = "PL00071: Parser: Expected text value:";
+
+    String EXPECTED_END_TAG = "PL00066: Parser : Expected end tag:";
+
+    String FAILED_PARSING = "PL00067: Parsing has failed:";
+
+    String FILE_NOT_LOCATED = "PL00075: File could not be located :";
+
+    String IDP_AUTH_FAILED = "PL00015: IDP Authentication Failed:";
+
+    String IDP_WEBBROWSER_VALVE_ALREADY_STARTED = "PL00021: IDPWebBrowserSSOValve already Started";
+
+    String IDP_WEBBROWSER_VALVE_CONF_FILE_MISSING = "PL00017: Configuration File missing:";
+
+    String IDP_WEBBROWSER_VALVE_NOT_STARTED = "PL00024: IDPWebBrowserSSOValve NotStarted";
+
+    String ILLEGAL_METHOD_CALLED = "PL00020: Illegal Method Called";
+
+    String INVALID_ASSERTION = "PL00080: Invalid Assertion:";
+
+    String INVALID_DIGITAL_SIGNATURE = "PL00009: Invalid Digital Signature:";
+
+    String INJECTED_VALUE_MISSING = "PL00077: Injected Value Missing:";
+
+    String ISSUER_INFO_MISSING_STATUS_CODE = "PL00085: IssuerInfo missing status code :";
+
+    String KEYSTOREKEYMGR_DOMAIN_ALIAS_MISSING = "PL00058: KeyStoreKeyManager : Domain Alias missing for :";
+
+    String KEYSTOREKEYMGR_NULL_ALIAS = "PL00059: KeyStoreKeyManager : Alias is null";
+
+    String KEYSTOREKEYMGR_NULL_KEYSTORE = "PL00055: KeyStoreKeyManager : KeyStore is null";
+
+    String KEYSTOREKEYMGR_NULL_SIGNING_KEYPASS = "PL00057: KeyStoreKeyManager :: Signing Key Pass is null";
+
+    String KEYSTOREKEYMGR_NULL_ENCRYPTION_KEYPASS = "PL00189: KeyStoreKeyManager :: Encryption Key Pass is null";
+
+    String KEYSTOREKEYMGR_KEYSTORE_NOT_LOCATED = "PL00056: KeyStoreKeyManager: Keystore not located:";
+
+    String NOT_EQUAL = "PL00094: Not equal:";
+
+    String NOT_IMPLEMENTED_YET = "PL00082: Not Implemented Yet: ";
+
+    String NOT_SERIALIZABLE = "PL00093: Not Serializable:";
+
+    String NULL_ARGUMENT = "PL00078: Null Parameter:";
+
+    String NULL_ASSERTION = "PL00054: Assertion is null";
+
+    String NULL_ISSUE_INSTANT = "PL00088: Null IssueInstant";
+
+    String NULL_INPUT_STREAM = "PL00060: Input Stream is null";
+
+    String NULL_START_ELEMENT = "PL00068: Parser : Start Element is null";
+
+    String NULL_VALUE = "PL00092: Null Value:";
+
+    String OPTION_NOT_SET = "PL00076: Option not set:";
+
+    String PARSING_ERROR = "PL00074: Parsing Error:";
+
+    String PRINCIPAL_NOT_FOUND = "PL00022: Principal Not Found";
+
+    String PROCESSING_EXCEPTION = "PL00102: Processing Exception:";
+
+    String REQD_ATTRIBUTE = "PL00063: Parser: Required attribute missing: ";
+
+    String RESOURCE_NOT_FOUND = "PL00018: Resource not found:";
+
+    String SAML2STSLM_CONF_FILE_MISSING = "PL00039: SAML2STSLoginModule: Failed to validate assertion: STS configuration file not specified";
+
+    String SAML2STSLM_UNABLE_DECODE_PWD = "PL00047: SAML2STSLoginModule: Unable to decode password:";
+
+    String SERVICE_PROVIDER_CONF_FILE_MISSING = "PL00025: Service Provider:: Configuration File missing:";
+
+    String SERVICE_PROVIDER_NOT_CATALINA_RESPONSE = "PL00026: Response was not of type catalina response";
+
+    String SERVICE_PROVIDER_SERVER_EXCEPTION = "PL00032: Service Provider :: Server Exception";
+
+    String SHOULD_NOT_BE_THE_SAME = "PL00016: Should not be the same:";
+
+    String SIGNING_PROCESS_FAILURE = "PL00100: Signing Process Failure:";
+
+    String STS_CLIENT_PUBLIC_KEY_ERROR = "PL00008: Unable to locate client public key";
+
+    String STS_CONFIGURATION_NOT_SET = "PL00014: Configuration is not set";
+
+    String STS_CONFIGURATION_FILE_PARSING_ERROR = "PL00005: Error parsing the configuration file:";
+
+    String STS_CONFIGURATION_EXCEPTION = "PL00002: Encountered configuration exception:";
+
+    String STS_COMBINED_SECRET_KEY_ERROR = "PL00006: Error generating combined secret key:";
+
+    String STS_EXCEPTION_HANDLING_TOKEN_REQ = "PL00003: Exception in handling token request: ";
+
+    String STS_NO_TOKEN_PROVIDER = "PL00013: No Security Token Provider found in configuration:[";
+
+    String STS_INVALID_TOKEN_REQUEST = "PL00001: Invalid security token request";
+
+    String STS_INVALID_REQUEST_TYPE = "PL00001: Invalid request type: ";
+
+    String STS_PUBLIC_KEY_ERROR = "PL00010: Error obtaining public key for service: ";
+
+    String STS_PUBLIC_KEY_CERT = "PL00012: Error obtaining public key certificate:";
+
+    String STS_RESPONSE_WRITING_ERROR = "PL00004: Error writing response: ";
+
+    String STS_SIGNING_KEYPAIR_ERROR = "PL00011: Error obtaining signing key pair:";
+
+    String STS_UNABLE_TO_CONSTRUCT_KEYMGR = "PL00007: Unable to construct the key manager:";
+
+    String SYSTEM_PROPERTY_MISSING = "PL00087: System Property missing:";
+
+    String TRUST_MANAGER_MISSING = "PL000023: Trust Key Manager Missing";
+
+    String UNABLE_PARSING_NULL_TOKEN = "PL00073: Parser: Unable to parse token request: security token is null";
+
+    String UNABLE_LOCAL_AUTH = "PL00035: Unable to fallback on local auth:";
+
+    String UNKNOWN_END_ELEMENT = "PL00061: Parser: Unknown End Element:";
+
+    String UNKNOWN_OBJECT_TYPE = "PL00089: Unknown Object Type:";
+
+    String UNKNOWN_START_ELEMENT = "PL00064: Parser: Unknown Start Element: ";
+
+    String UNKNOWN_SIG_ALGO = "PL00090: Unknown Signature Algorithm:";
+
+    String UNKNOWN_ENC_ALGO = "PL00097: Unknown Encryption Algorithm:";
+
+    String UNKNOWN_TAG = "PL00062: Parser : Unknown tag:";
+
+    String UNKNOWN_XSI = "PL0065: Parser : Unknown xsi:type=";
+
+    String UNSUPPORTED_TYPE = "PL00069: Parser: Type not supported:";
+
+    String VALIDATION_CHECK_FAILED = "PL00019: Validation check failed";
+
+    String WRITER_INVALID_KEYINFO_NULL_CONTENT = "PL00091: Writer: Invalid KeyInfo object: content cannot be empty";
+
+    String WRITER_NULL_VALUE = "PL00083: Writer: Null Value:";
+
+    String WRITER_SHOULD_START_ELEMENT = "PL00096: Writer: Should have been a StartElement";
+
+    String WRITER_UNKNOWN_TYPE = "PL00081: Writer: Unknown Type:";
+
+    String WRITER_UNSUPPORTED_ATTRIB_VALUE = "PL00084: Writer: Unsupported Attribute Value:";
+
+    String WRONG_TYPE = "PL00095: Wrong type:";
+
+    String SOAP_MESSAGE_DUMP_ERROR = "PL00104: Error while dumping SOAP message:";
+
+    String LOCAL_VALIDATION_SEC_DOMAIN_MUST_BE_SPECIFIED = "PL00105: When using local validation 'localValidationSecurityDomain' must be specified.";
+
+    String COMPRESSION_ENABLED_SAML_CRED = "When compression is enabled, received credential should be SamlCredential, but got ";
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/PicketLinkLogger.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/PicketLinkLogger.java
new file mode 100755
index 0000000000..9736ce2ab5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/PicketLinkLogger.java
@@ -0,0 +1,1223 @@
+/*
+ *JBoss, Home of Professional Open Source
+ *
+ *Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ *Licensed under the Apache License, Version 2.0 (the "License");
+ *you may not use this file except in compliance with the License.
+ *You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *Unless required by applicable law or agreed to in writing, software
+ *distributed under the License is distributed on an "AS IS" BASIS,
+ *WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *See the License for the specific language governing permissions and
+ *limitations under the License.
+ */
+
+package org.keycloak.saml.common;
+
+
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.exceptions.TrustKeyConfigurationException;
+import org.keycloak.saml.common.exceptions.TrustKeyProcessingException;
+import org.keycloak.saml.common.exceptions.fed.AssertionExpiredException;
+import org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException;
+import org.keycloak.saml.common.exceptions.fed.IssuerNotTrustedException;
+import org.keycloak.saml.common.exceptions.fed.SignatureValidationException;
+import org.keycloak.saml.common.exceptions.fed.WSTrustException;
+import org.w3c.dom.Element;
+
+import javax.security.auth.login.LoginException;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.stream.Location;
+import javax.xml.ws.WebServiceException;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+
+/**
+ * <p>This interface acts as a Log Facade for PicketLink, from which exceptions and messages should be created or
+ * logged.</p> <p>As PicketLink supports multiple containers and its versions, the main objective of this interface is
+ * to abstract the logging aspects from the code and provide different logging implementations for each supported
+ * binding/container.</p>
+ *
+ * @author <a href="mailto:psilva@redhat.com">Pedro Silva</a>
+ * @see {@link PicketLinkLoggerFactory}
+ */
+public interface PicketLinkLogger {
+
+    /**
+     * <p>Creates an {@link IllegalArgumentException} for null arguments.</p>
+     *
+     * @param argument
+     *
+     * @return
+     */
+    IllegalArgumentException nullArgumentError(String argument);
+
+    /**
+     * <p>Creates an {@link IllegalArgumentException} for arguments that should not be the same.</p>
+     *
+     * @param string
+     *
+     * @return
+     */
+    IllegalArgumentException shouldNotBeTheSameError(String string);
+
+    /**
+     * <p>Creates an {@link org.keycloak.saml.common.exceptions.ProcessingException} for resources that are not found.</p>
+     *
+     * @param resource
+     *
+     * @return
+     */
+    ProcessingException resourceNotFound(String resource);
+
+    /**
+     * <p>Creates an {@link ProcessingException} for generics processing errors.</p>
+     *
+     * @param message
+     * @param t
+     *
+     * @return
+     */
+    ProcessingException processingError(Throwable t);
+
+    /**
+     * <p>Creates an {@link RuntimeException} for not supported types.</p>
+     *
+     * @param name
+     *
+     * @return
+     */
+    RuntimeException unsupportedType(String name);
+
+    /**
+     * <p>Creates a {@link ProcessingException} for exceptions raised during signature processing.</p>
+     *
+     * @param e
+     *
+     * @return
+     */
+    XMLSignatureException signatureError(Throwable e);
+
+    /**
+     * <p>Creates a {@link RuntimeException} for null values.</p>
+     *
+     * @param nullValue
+     *
+     * @return
+     */
+    RuntimeException nullValueError(String nullValue);
+
+    /**
+     * <p>Creates a {@link RuntimeException} for not implemented methods or features.</p>
+     *
+     * @param string
+     *
+     * @return
+     */
+    RuntimeException notImplementedYet(String string);
+
+    /**
+     * <p>Creates a {@link IllegalStateException} for the case the Audit Manager is null.</p>
+     *
+     * @return
+     */
+    IllegalStateException auditNullAuditManager();
+
+    /**
+     * <p>Indicates if the logging level is set to INFO.</p>
+     *
+     * @return
+     */
+    boolean isInfoEnabled();
+
+    /**
+     * <p>Logs a PicketLink Audit Event.</p>
+     *
+     * @param auditEvent
+     */
+    void auditEvent(String auditEvent);
+
+    /**
+     * <p>Creates a {@link RuntimeException} for missing values.</p>
+     *
+     * @param string
+     *
+     * @return
+     */
+    RuntimeException injectedValueMissing(String value);
+
+    /** <p>Logs a message during the KeyStore setup.</p> */
+    void keyStoreSetup();
+
+    /**
+     * <p>Creates a {@link IllegalStateException} for the case where the KeyStore is null.</p>
+     *
+     * @return
+     */
+    IllegalStateException keyStoreNullStore();
+
+    /**
+     * <p>Logs a message for the cases where no public key was found for a given alias.</p>
+     *
+     * @param alias
+     */
+    void keyStoreNullPublicKeyForAlias(String alias);
+
+    /**
+     * <p>Creates a {@link org.keycloak.saml.common.exceptions.TrustKeyConfigurationException} for exceptions raised during the KeyStore configuration.</p>
+     *
+     * @param t
+     *
+     * @return
+     */
+    TrustKeyConfigurationException keyStoreConfigurationError(Throwable t);
+
+    /**
+     * <p>Creates a {@link TrustKeyConfigurationException} for exceptions raised during the KeyStore processing.</p>
+     *
+     * @param t
+     *
+     * @return
+     */
+    TrustKeyProcessingException keyStoreProcessingError(Throwable t);
+
+    /**
+     * @param domain
+     *
+     * @return
+     */
+    IllegalStateException keyStoreMissingDomainAlias(String domain);
+
+    /**
+     * <p>Creates a {@link RuntimeException} for the case where the signing key password is null.</p>
+     *
+     * @return
+     */
+    RuntimeException keyStoreNullSigningKeyPass();
+
+    RuntimeException keyStoreNullEncryptionKeyPass();
+
+    /**
+     * <p>Creates a {@link RuntimeException} for the case where key store are not located.</p>
+     *
+     * @param keyStore
+     *
+     * @return
+     */
+    RuntimeException keyStoreNotLocated(String keyStore);
+
+    /**
+     * <p>Creates a {@link IllegalStateException} for the case where the alias is null.</p>
+     *
+     * @return
+     */
+    IllegalStateException keyStoreNullAlias();
+
+    /**
+     * <p>Creates a {@link RuntimeException} for the case where parser founds a unknown end element.</p>
+     *
+     * @param endElementName
+     *
+     * @return
+     */
+    RuntimeException parserUnknownEndElement(String endElementName);
+
+    /**
+     * @param tag
+     * @param location
+     *
+     * @return
+     */
+    RuntimeException parserUnknownTag(String tag, Location location);
+
+    /**
+     * @param string
+     *
+     * @return
+     */
+    ParsingException parserRequiredAttribute(String string);
+
+    /**
+     * @param elementName
+     * @param location
+     *
+     * @return
+     */
+    RuntimeException parserUnknownStartElement(String elementName, Location location);
+
+    /** @return  */
+    IllegalStateException parserNullStartElement();
+
+    /**
+     * @param xsiTypeValue
+     *
+     * @return
+     */
+    ParsingException parserUnknownXSI(String xsiTypeValue);
+
+    /**
+     * @param string
+     *
+     * @return
+     */
+    ParsingException parserExpectedEndTag(String tagName);
+
+    /**
+     * @param e
+     *
+     * @return
+     */
+    ParsingException parserException(Throwable t);
+
+    /**
+     * @param string
+     *
+     * @return
+     */
+    ParsingException parserExpectedTextValue(String string);
+
+    /**
+     * @param expectedXsi
+     *
+     * @return
+     */
+    RuntimeException parserExpectedXSI(String expectedXsi);
+
+    /**
+     * @param tag
+     * @param foundElementTag
+     *
+     * @return
+     */
+    RuntimeException parserExpectedTag(String tag, String foundElementTag);
+
+    /**
+     * @param elementName
+     *
+     * @return
+     */
+    RuntimeException parserFailed(String elementName);
+
+    /** @return  */
+    ParsingException parserUnableParsingNullToken();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    ParsingException parserError(Throwable t);
+
+    /**
+     * @param e
+     *
+     * @return
+     */
+    RuntimeException xacmlPDPMessageProcessingError(Throwable t);
+
+    /**
+     * @param policyConfigFileName
+     *
+     * @return
+     */
+    IllegalStateException fileNotLocated(String policyConfigFileName);
+
+    /**
+     * @param string
+     *
+     * @return
+     */
+    IllegalStateException optionNotSet(String option);
+
+    /**
+     *
+     */
+    void stsTokenRegistryNotSpecified();
+
+    /** @param tokenRegistryOption */
+    void stsTokenRegistryInvalidType(String tokenRegistryOption);
+
+    /**
+     *
+     */
+    void stsTokenRegistryInstantiationError();
+
+    /**
+     *
+     */
+    void stsRevocationRegistryNotSpecified();
+
+    /** @param registryOption */
+    void stsRevocationRegistryInvalidType(String registryOption);
+
+    /**
+     *
+     */
+    void stsRevocationRegistryInstantiationError();
+
+    /** @return  */
+    ProcessingException samlAssertionExpiredError();
+
+    /** @return  */
+    ProcessingException assertionInvalidError();
+
+    /**
+     * @param name
+     *
+     * @return
+     */
+    RuntimeException writerUnknownTypeError(String name);
+
+    /**
+     * @param string
+     *
+     * @return
+     */
+    ProcessingException writerNullValueError(String value);
+
+    /**
+     * @param value
+     *
+     * @return
+     */
+    RuntimeException writerUnsupportedAttributeValueError(String value);
+
+    /** @return  */
+    IllegalArgumentException issuerInfoMissingStatusCodeError();
+
+    /**
+     * @param fqn
+     *
+     * @return
+     */
+    ProcessingException classNotLoadedError(String fqn);
+
+    /**
+     * @param fqn
+     * @param e
+     *
+     * @return
+     */
+    ProcessingException couldNotCreateInstance(String fqn, Throwable t);
+
+    /**
+     * @param property
+     *
+     * @return
+     */
+    RuntimeException systemPropertyMissingError(String property);
+
+    /** @param t */
+    void samlMetaDataIdentityProviderLoadingError(Throwable t);
+
+    /** @param t */
+    void samlMetaDataServiceProviderLoadingError(Throwable t);
+
+    /** @param t */
+    void signatureAssertionValidationError(Throwable t);
+
+    /** @param id */
+    void samlAssertionExpired(String id);
+
+    /**
+     * @param attrValue
+     *
+     * @return
+     */
+    RuntimeException unknownObjectType(Object attrValue);
+
+    /**
+     * @param e
+     *
+     * @return
+     */
+    ConfigurationException configurationError(Throwable t);
+
+    /** @param message */
+    void trace(String message);
+
+    /**
+     * @param string
+     * @param t
+     */
+    void trace(String message, Throwable t);
+
+    /**
+     * @param algo
+     *
+     * @return
+     */
+    RuntimeException signatureUnknownAlgo(String algo);
+
+    /**
+     * @param message
+     *
+     * @return
+     */
+    IllegalArgumentException invalidArgumentError(String message);
+
+    /**
+     * @param configuration
+     * @param protocolContext
+     *
+     * @return
+     */
+    ProcessingException stsNoTokenProviderError(String configuration, String protocolContext);
+
+    /** @param message */
+    void debug(String message);
+
+    /** @param fileName */
+    void stsConfigurationFileNotFoundTCL(String fileName);
+
+    /** @param fileName */
+    void stsConfigurationFileNotFoundClassLoader(String fileName);
+
+    /** @param fileName */
+    void stsUsingDefaultConfiguration(String fileName);
+
+    /** @param fileName */
+    void stsConfigurationFileLoaded(String fileName);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    ConfigurationException stsConfigurationFileParsingError(Throwable t);
+
+    /**
+     * @param message
+     *
+     * @return
+     */
+    IOException notSerializableError(String message);
+
+    /**
+     *
+     */
+    void trustKeyManagerCreationError(Throwable t);
+
+    /** @param message */
+    void info(String message);
+
+    /** @param string */
+    void warn(String message);
+
+    /** @param message */
+    void error(String message);
+
+    /** @param t */
+    void xmlCouldNotGetSchema(Throwable t);
+
+    /** @return  */
+    boolean isTraceEnabled();
+
+    /** @return  */
+    boolean isDebugEnabled();
+
+    /**
+     * @param name
+     * @param t
+     */
+    void jceProviderCouldNotBeLoaded(String name, Throwable t);
+
+    /** @return  */
+    ProcessingException writerInvalidKeyInfoNullContentError();
+
+    /**
+     * @param first
+     * @param second
+     *
+     * @return
+     */
+    RuntimeException notEqualError(String first, String second);
+
+    /**
+     * @param message
+     *
+     * @return
+     */
+    IllegalArgumentException wrongTypeError(String message);
+
+    /**
+     * @param certAlgo
+     *
+     * @return
+     */
+    RuntimeException encryptUnknownAlgoError(String certAlgo);
+
+    /**
+     * @param element
+     *
+     * @return
+     */
+    IllegalStateException domMissingDocElementError(String element);
+
+    /**
+     * @param element
+     *
+     * @return
+     */
+    IllegalStateException domMissingElementError(String element);
+
+    /** @return  */
+    WebServiceException stsWSInvalidTokenRequestError();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    WebServiceException stsWSError(Throwable t);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    WebServiceException stsWSConfigurationError(Throwable t);
+
+    /**
+     * @param requestType
+     *
+     * @return
+     */
+    WSTrustException stsWSInvalidRequestTypeError(String requestType);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    WebServiceException stsWSHandlingTokenRequestError(Throwable t);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    WebServiceException stsWSResponseWritingError(Throwable t);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    RuntimeException stsUnableToConstructKeyManagerError(Throwable t);
+
+    /**
+     * @param serviceName
+     * @param t
+     *
+     * @return
+     */
+    RuntimeException stsPublicKeyError(String serviceName, Throwable t);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    RuntimeException stsSigningKeyPairError(Throwable t);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    RuntimeException stsPublicKeyCertError(Throwable t);
+
+    /**
+     *
+     */
+    void stsTokenTimeoutNotSpecified();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    WSTrustException wsTrustCombinedSecretKeyError(Throwable t);
+
+    /** @return  */
+    WSTrustException wsTrustClientPublicKeyError();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    WSTrustException stsError(Throwable t);
+
+    /**
+     * @param message
+     * @param t
+     *
+     * @return
+     */
+    XMLSignatureException signatureInvalidError(String message, Throwable t);
+
+    /**
+     *
+     */
+    void stsSecurityTokenSignatureNotVerified();
+
+    /**
+     * @param e
+     *
+     * @return
+     */
+    RuntimeException encryptProcessError(Throwable t);
+
+    /**
+     *
+     */
+    void stsSecurityTokenShouldBeEncrypted();
+
+    /**
+     * @param password
+     *
+     * @return
+     */
+    RuntimeException unableToDecodePasswordError(String password);
+
+    /**
+     * @param configFile
+     *
+     * @return
+     */
+    IllegalStateException couldNotLoadProperties(String configFile);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    WSTrustException stsKeyInfoTypeCreationError(Throwable t);
+
+    /**
+     *
+     */
+    void stsSecretKeyNotEncrypted();
+
+    /** @return  */
+    LoginException authCouldNotIssueSAMLToken();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    LoginException authLoginError(Throwable t);
+
+    /**
+     * @param e
+     *
+     * @return
+     */
+    IllegalStateException authCouldNotCreateWSTrustClient(Throwable t);
+
+    /** @param id */
+    void samlAssertionWithoutExpiration(String id);
+
+    /**
+     * @param token
+     *
+     * @return
+     */
+    LoginException authCouldNotValidateSAMLToken(Element token);
+
+    /** @return  */
+    LoginException authCouldNotLocateSecurityToken();
+
+    /** @return  */
+    ProcessingException wsTrustNullCancelTargetError();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    ProcessingException samlAssertionMarshallError(Throwable t);
+
+    /** @return  */
+    ProcessingException wsTrustNullRenewTargetError();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    ProcessingException samlAssertionUnmarshallError(Throwable t);
+
+    /** @return  */
+    ProcessingException samlAssertionRevokedCouldNotRenew(String id);
+
+    /** @return  */
+    ProcessingException wsTrustNullValidationTargetError();
+
+    /** @param attributeProviderClassName */
+    void stsWrongAttributeProviderTypeNotInstalled(String attributeProviderClassName);
+
+    /** @param t */
+    void attributeProviderInstationError(Throwable t);
+
+    /** @param nodeAsString */
+    void samlAssertion(String nodeAsString);
+
+    /**
+     * @param dce
+     *
+     * @return
+     */
+    RuntimeException wsTrustUnableToGetDataTypeFactory(Throwable t);
+
+    /** @return  */
+    ProcessingException wsTrustValidationStatusCodeMissing();
+
+    /** @param activeSessionCount */
+    void samlIdentityServerActiveSessionCount(int activeSessionCount);
+
+    /**
+     * @param id
+     * @param activeSessionCount
+     */
+    void samlIdentityServerSessionCreated(String id, int activeSessionCount);
+
+    /**
+     * @param id
+     * @param activeSessionCount
+     */
+    void samlIdentityServerSessionDestroyed(String id, int activeSessionCount);
+
+    /**
+     * @param name
+     *
+     * @return
+     */
+    RuntimeException unknowCredentialType(String name);
+
+    /** @param t */
+    void samlHandlerRoleGeneratorSetupError(Throwable t);
+
+    /** @return  */
+    RuntimeException samlHandlerAssertionNotFound();
+
+    /** @return  */
+    ProcessingException samlHandlerAuthnRequestIsNull();
+
+    /** @param t */
+    void samlHandlerAuthenticationError(Throwable t);
+
+    /** @return  */
+    IllegalArgumentException samlHandlerNoAssertionFromIDP();
+
+    /** @return  */
+    ProcessingException samlHandlerNullEncryptedAssertion();
+
+    /** @return  */
+    SecurityException samlHandlerIDPAuthenticationFailedError();
+
+    /**
+     * @param aee
+     *
+     * @return
+     */
+    ProcessingException assertionExpiredError(AssertionExpiredException aee);
+
+    /**
+     * @param attrValue
+     *
+     * @return
+     */
+    RuntimeException unsupportedRoleType(Object attrValue);
+
+    /**
+     * @param inResponseTo
+     * @param authnRequestId
+     */
+    void samlHandlerFailedInResponseToVerification(String inResponseTo, String authnRequestId);
+
+    /** @return  */
+    ProcessingException samlHandlerFailedInResponseToVerificarionError();
+
+    /**
+     * @param issuer
+     *
+     * @return
+     */
+    IssuerNotTrustedException samlIssuerNotTrustedError(String issuer);
+
+    /**
+     * @param e
+     *
+     * @return
+     */
+    IssuerNotTrustedException samlIssuerNotTrustedException(Throwable t);
+
+    /** @return  */
+    ConfigurationException samlHandlerTrustElementMissingError();
+
+    /** @return  */
+    ProcessingException samlHandlerIdentityServerNotFoundError();
+
+    /** @return  */
+    ProcessingException samlHandlerPrincipalNotFoundError();
+
+    /**
+     *
+     */
+    void samlHandlerKeyPairNotFound();
+
+    /** @return  */
+    ProcessingException samlHandlerKeyPairNotFoundError();
+
+    /** @param t */
+    void samlHandlerErrorSigningRedirectBindingMessage(Throwable t);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    RuntimeException samlHandlerSigningRedirectBindingMessageError(Throwable t);
+
+    /** @return  */
+    SignatureValidationException samlHandlerSignatureValidationFailed();
+
+    /** @param t */
+    void samlHandlerErrorValidatingSignature(Throwable t);
+
+    /** @return  */
+    ProcessingException samlHandlerInvalidSignatureError();
+
+    /** @return  */
+    ProcessingException samlHandlerSignatureNotPresentError();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    ProcessingException samlHandlerSignatureValidationError(Throwable t);
+
+    /** @param t */
+    void error(Throwable t);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    RuntimeException samlHandlerChainProcessingError(Throwable t);
+
+    /** @return  */
+    TrustKeyConfigurationException trustKeyManagerMissing();
+
+    /** @param rte */
+    void samlBase64DecodingError(Throwable t);
+
+    /** @param t */
+    void samlParsingError(Throwable t);
+
+    /** @param t */
+    void trace(Throwable t);
+
+    /**
+     *
+     */
+    void mappingContextNull();
+
+    /** @param t */
+    void attributeManagerError(Throwable t);
+
+    /**
+     *
+     */
+    void couldNotObtainSecurityContext();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    LoginException authFailedToCreatePrincipal(Throwable t);
+
+    /**
+     * @param class1
+     *
+     * @return
+     */
+    LoginException authSharedCredentialIsNotSAMLCredential(String className);
+
+    /** @return  */
+    LoginException authSTSConfigFileNotFound();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    LoginException authErrorHandlingCallback(Throwable t);
+
+    /** @return  */
+    LoginException authInvalidSAMLAssertionBySTS();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    LoginException authAssertionValidationError(Throwable t);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    LoginException authFailedToParseSAMLAssertion(Throwable t);
+
+    /** @param t */
+    void samlAssertionPasingFailed(Throwable t);
+
+    LoginException authNullKeyStoreFromSecurityDomainError(String name);
+
+    LoginException authNullKeyStoreAliasFromSecurityDomainError(String name);
+
+    LoginException authNoCertificateFoundForAliasError(String alias, String name);
+
+    LoginException authSAMLInvalidSignatureError();
+
+    LoginException authSAMLAssertionExpiredError();
+
+    /** @param t */
+    void authSAMLAssertionIssuingFailed(Throwable t);
+
+    /** @param t */
+    void jbossWSUnableToCreateBinaryToken(Throwable t);
+
+    /**
+     *
+     */
+    void jbossWSUnableToCreateSecurityToken();
+
+    /** @param ignore */
+    void jbossWSUnableToWriteSOAPMessage(Throwable t);
+
+    /** @return  */
+    RuntimeException jbossWSUnableToLoadJBossWSSEConfigError();
+
+    /** @return  */
+    RuntimeException jbossWSAuthorizationFailed();
+
+    /** @param t */
+    void jbossWSErrorGettingOperationName(Throwable t);
+
+    /** @return  */
+    LoginException authSAMLCredentialNotAvailable();
+
+    /**
+     * @param token
+     * @param t
+     *
+     * @return
+     */
+    RuntimeException authUnableToInstantiateHandler(String token, Throwable t);
+
+    /**
+     * @param e1
+     *
+     * @return
+     */
+    RuntimeException jbossWSUnableToCreateSSLSocketFactory(Throwable t);
+
+    /** @return  */
+    RuntimeException jbossWSUnableToFindSSLSocketFactory();
+
+    /** @return  */
+    RuntimeException authUnableToGetIdentityFromSubject();
+
+    /** @return  */
+    RuntimeException authSAMLAssertionNullOrEmpty();
+
+    /** @return  */
+    ProcessingException jbossWSUncheckedAndRolesCannotBeTogether();
+
+    /** @param t */
+    void samlIDPHandlingSAML11Error(Throwable t);
+
+    /** @return  */
+    GeneralSecurityException samlIDPValidationCheckFailed();
+
+    /** @param t */
+    void samlIDPRequestProcessingError(Throwable t);
+
+    /** @param t */
+    void samlIDPUnableToSetParticipantStackUsingDefault(Throwable t);
+
+    /** @param t */
+    void samlHandlerConfigurationError(Throwable t);
+
+    /** @param canonicalizationMethod */
+    void samlIDPSettingCanonicalizationMethod(String canonicalizationMethod);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    RuntimeException samlIDPConfigurationError(Throwable t);
+
+    /**
+     * @param configFile
+     *
+     * @return
+     */
+    RuntimeException configurationFileMissing(String configFile);
+
+    /**
+     *
+     */
+    void samlIDPInstallingDefaultSTSConfig();
+
+    void samlSPFallingBackToLocalFormAuthentication();
+
+    /**
+     * @param ex
+     *
+     * @return
+     */
+    IOException unableLocalAuthentication(Throwable t);
+
+    /**
+     *
+     */
+    void samlSPUnableToGetIDPDescriptorFromMetadata();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    RuntimeException samlSPConfigurationError(Throwable t);
+
+    /** @param canonicalizationMethod */
+    void samlSPSettingCanonicalizationMethod(String canonicalizationMethod);
+
+    /** @param logOutPage */
+    void samlSPCouldNotDispatchToLogoutPage(String logOutPage);
+
+    /**
+     * <p>Logs the implementation being used to log messages and exceptions.</p>
+     *
+     * @param name
+     */
+    void usingLoggerImplementation(String className);
+
+    /**
+     *
+     */
+    void samlResponseFromIDPParsingFailed();
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    ConfigurationException auditSecurityDomainNotFound(Throwable t);
+
+    /**
+     * @param location
+     * @param t
+     *
+     * @return
+     */
+    ConfigurationException auditAuditManagerNotFound(String location, Throwable t);
+
+    /** @return  */
+    IssueInstantMissingException samlIssueInstantMissingError();
+
+    /**
+     * @param response
+     *
+     * @return
+     */
+    RuntimeException samlSPResponseNotCatalinaResponseError(Object response);
+
+    /** @param t */
+    void samlLogoutError(Throwable t);
+
+    /** @param t */
+    void samlErrorPageForwardError(String errorPage, Throwable t);
+
+    /** @param t */
+    void samlSPHandleRequestError(Throwable t);
+
+    /**
+     * @param t
+     *
+     * @return
+     */
+    IOException samlSPProcessingExceptionError(Throwable t);
+
+    /** @return  */
+    IllegalArgumentException samlInvalidProtocolBinding();
+
+    /** @return  */
+    IllegalStateException samlHandlerServiceProviderConfigNotFound();
+
+    /**
+     *
+     */
+    void samlSecurityTokenAlreadyPersisted(String id);
+
+    /** @param id */
+    void samlSecurityTokenNotFoundInRegistry(String id);
+
+    IllegalArgumentException samlMetaDataFailedToCreateCacheDuration(String timeValue);
+
+    ConfigurationException samlMetaDataNoIdentityProviderDefined();
+
+    ConfigurationException samlMetaDataNoServiceProviderDefined();
+
+    ConfigurationException securityDomainNotFound();
+
+    void authenticationManagerError(ConfigurationException e);
+
+    void authorizationManagerError(ConfigurationException e);
+
+    IllegalStateException jbdcInitializationError(Throwable throwable);
+
+    RuntimeException errorUnmarshallingToken(Throwable e);
+
+    RuntimeException runtimeException(String msg, Throwable e);
+
+    IllegalStateException datasourceIsNull();
+
+    IllegalArgumentException cannotParseParameterValue(String parameter, Throwable e);
+
+    RuntimeException cannotGetFreeClientPoolKey(String key);
+
+    RuntimeException cannotGetSTSConfigByKey(String key);
+
+    RuntimeException cannotGetUsedClientsByKey(String key);
+
+    RuntimeException removingNonExistingClientFromUsedClientsByKey(String key);
+
+    RuntimeException freePoolAlreadyContainsGivenKey(String key);
+
+    RuntimeException maximumNumberOfClientsReachedforPool(String max);
+
+    RuntimeException cannotSetMaxPoolSizeToNegative(String max);
+
+    RuntimeException parserFeatureNotSupported(String feature);
+
+    ProcessingException samlAssertionWrongAudience(String serviceURL);
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/PicketLinkLoggerFactory.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/PicketLinkLoggerFactory.java
new file mode 100755
index 0000000000..6461eaa1f7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/PicketLinkLoggerFactory.java
@@ -0,0 +1,55 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.saml.common;
+
+/**
+ * <p> Factory class to create {@link PicketLinkLogger} instances. </p> <p> The logger instances are created based on
+ * the following patterns: <br/> <ul> <li>Tries to load a class with the same full qualified name of {@link
+ * PicketLinkLogger} plus the "Impl" suffix;</li> <li>If no class is found fallback to the {@link
+ * DefaultPicketLinkLogger} as the default logger implementation.</li> </ul> </p>
+ *
+ * @author <a href="mailto:psilva@redhat.com">Pedro Silva</a>
+ */
+public final class PicketLinkLoggerFactory {
+
+    private static PicketLinkLogger LOGGER;
+
+    static {
+        try {
+            LOGGER = (PicketLinkLogger) Class.forName(PicketLinkLogger.class.getName() + "Impl").newInstance();
+        } catch (Exception e) {
+            // if no implementation is found uses the default implementation.
+            LOGGER = new DefaultPicketLinkLogger();
+        }
+
+        if (LOGGER.isDebugEnabled()) {
+            LOGGER.usingLoggerImplementation(LOGGER.getClass().getName());
+        }
+    }
+
+    /**
+     * <p>Returns a {@link PicketLinkLogger} instance.</p>
+     *
+     * @return
+     */
+    public static PicketLinkLogger getLogger() {
+        return LOGGER;
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/GeneralConstants.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/GeneralConstants.java
new file mode 100755
index 0000000000..7a7acb352b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/GeneralConstants.java
@@ -0,0 +1,155 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.saml.common.constants;
+
+
+/**
+ * Constants
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 8, 2009
+ */
+public interface GeneralConstants {
+    String ASSERTIONS_VALIDITY = "ASSERTIONS_VALIDITY";
+    String CLOCK_SKEW = "CLOCK_SKEW";
+
+    String ASSERTION_ID = "ASSERTION_ID";
+
+    String ASSERTION = "ASSERTION";
+
+    String ATTRIBUTES = "ATTRIBUTES";
+
+    String ATTRIBUTE_KEYS = "ATTRIBUTE_KEYS";
+
+    String ATTRIBUTE_CHOOSE_FRIENDLY_NAME = "ATTRIBUTE_CHOOSE_FRIENDLY_NAME";
+
+    String ATTIBUTE_MANAGER = "ATTRIBUTE_MANAGER";
+
+    String AUDIT_ENABLE = "picketlink.audit.enable";
+
+    String AUDIT_HELPER = "AUDIT_HELPER";
+
+    String AUDIT_SECURITY_DOMAIN = "picketlink.audit.securitydomain";
+
+    String CONFIGURATION = "CONFIGURATION";
+
+    String CONFIG_FILE_LOCATION = "/WEB-INF/picketlink.xml";
+
+    String CONFIG_PROVIDER = "CONFIG_PROVIDER";
+
+    String CONTEXT_PATH = "CONTEXT_PATH";
+
+    String DEPRECATED_CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-idfed.xml";
+
+    String LOCAL_LOGOUT = "LLO";
+
+    String GLOBAL_LOGOUT = "GLO";
+
+    String HANDLER_CONFIG_FILE_LOCATION = "/WEB-INF/picketlink-handlers.xml";
+
+    String IDENTITY_SERVER = "IDENTITY_SERVER";
+
+    String IDENTITY_PARTICIPANT_STACK = "IDENTITY_PARTICIPANT_STACK";
+
+    String IGNORE_SIGNATURES = "IGNORE_SIGNATURES";
+
+    String KEYPAIR = "KEYPAIR";
+
+    String LOGIN_TYPE = "LOGIN_TYPE";
+
+    String LOGOUT_PAGE = "LOGOUT_PAGE";
+
+    String LOGOUT_PAGE_NAME = "/logout.jsp";
+
+    String NAMEID_FORMAT = "NAMEID_FORMAT";
+
+    String PRINCIPAL_ID = "picketlink.principal";
+
+    String RELAY_STATE = "RelayState";
+
+    String ROLES = "ROLES";
+
+    String ROLES_ID = "picketlink.roles";
+
+    String ROLE_GENERATOR = "ROLE_GENERATOR";
+
+    String ROLE_VALIDATOR = "ROLE_VALIDATOR";
+
+    String ROLE_VALIDATOR_IGNORE = "ROLE_VALIDATOR_IGNORE";
+
+    String SAML_REQUEST_KEY = "SAMLRequest";
+
+    String SAML_RESPONSE_KEY = "SAMLResponse";
+
+    String SAML_SIG_ALG_REQUEST_KEY = "SigAlg";
+
+    String SAML_SIGNATURE_REQUEST_KEY = "Signature";
+
+    String SAML_IDP_STRICT_POST_BINDING = "SAML_IDP_STRICT_POST_BINDING";
+
+    // Should JAXP Factory operations cache the TCCL and revert after operation?
+    String TCCL_JAXP = "picketlink.jaxp.tccl";
+
+    String TIMEZONE = "picketlink.timezone";
+
+    String TIMEZONE_DEFAULT = "TIMEZONE_DEFAULT";
+
+    String DECRYPTING_KEY = "DECRYPTING_KEY";
+
+    String SP_SSO_METADATA_DESCRIPTOR = "SP_SSO_METADATA_DESCRIPTOR";
+
+    String IDP_SSO_METADATA_DESCRIPTOR = "IDP_SSO_METADATA_DESCRIPTOR";
+
+    String SSO_METADATA_DESCRIPTOR = "SSO_METADATA_DESCRIPTOR";
+
+    String SENDER_PUBLIC_KEY = "SENDER_PUBLIC_KEY";
+
+    String SIGN_OUTGOING_MESSAGES = "SIGN_OUTGOING_MESSAGES";
+
+    String SUPPORTS_SIGNATURES = "SUPPORTS_SIGNATURES";
+
+    String SESSION_ATTRIBUTE_MAP = "SESSION_ATTRIBUTE_MAP";
+
+    String USERNAME_FIELD = "JBID_USERNAME";
+
+    String PASS_FIELD = "JBID_PASSWORD";
+
+    String AUTH_REQUEST_ID = "AUTH_REQUEST_ID";
+    String ERROR_PAGE_NAME = "/error.jsp";
+    String SAML_ENC_KEY_SIZE = "SAML_ENC_KEY_SIZE";
+    String SAML_ENC_ALGORITHM = "SAML_ENC_ALGORITHM";
+
+    /**
+     * <p>{@link SAML2AuthenticationHandler} configuration option to set the assertion into the {@link
+     * HttpSession}.</p>
+     */
+    String ASSERTION_SESSION_ATTRIBUTE_NAME = "ASSERTION_SESSION_ATTRIBUTE_NAME";
+
+    String X509CERTIFICATE = "X509CERTIFICATE";
+
+    String AUTHN_CONTEXT_CLASSES = "AUTHN_CONTEXT_CLASSES";
+    String REQUESTED_AUTHN_CONTEXT_COMPARISON = "REQUESTED_AUTHN_CONTEXT_COMPARISON";
+
+    String BASE64_ENCODE_WSTRUST_SECRET_KEY = "picketlink.wstrust.base64_encode_wstrust_secret_key";
+
+    String HTTP_HEADER_X_REQUESTED_WITH = "X-Requested-With";
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/JBossSAMLConstants.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/JBossSAMLConstants.java
new file mode 100755
index 0000000000..fb90e17922
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/JBossSAMLConstants.java
@@ -0,0 +1,79 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.constants;
+
+/**
+ * SAML Constants
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 10, 2008
+ */
+public enum JBossSAMLConstants {
+    ADDRESS("Address"), ADDITIONAL_METADATA_LOCATION("AdditionalMetadataLocation"), AFFILIATION_DESCRIPTOR(
+            "AffiliationDescriptor"), ALLOW_CREATE("AllowCreate"), ARTIFACT("Artifact"), ARTIFACT_RESOLVE("ArtifactResolve"), ARTIFACT_RESPONSE(
+            "ArtifactResponse"), ARTIFACT_RESOLUTION_SERVICE("ArtifactResolutionService"), ASSERTION("Assertion"), ASSERTION_CONSUMER_SERVICE(
+            "AssertionConsumerService"), ASSERTION_CONSUMER_SERVICE_URL("AssertionConsumerServiceURL"), ASSERTION_CONSUMER_SERVICE_INDEX(
+            "AssertionConsumerServiceIndex"), ASSERTION_ID_REQUEST_SERVICE("AssertionIDRequestService"), ATTRIBUTE("Attribute"), ATTRIBUTE_QUERY(
+            "AttributeQuery"), ATTRIBUTE_AUTHORITY_DESCRIPTOR("AttributeAuthorityDescriptor"), ATTRIBUTE_CONSUMING_SERVICE(
+            "AttributeConsumingService"), ATTRIBUTE_CONSUMING_SERVICE_INDEX("AttributeConsumingServiceIndex"), ATTRIBUTE_SERVICE(
+            "AttributeService"), ATTRIBUTE_STATEMENT("AttributeStatement"), ATTRIBUTE_VALUE("AttributeValue"), AUDIENCE(
+            "Audience"), AUDIENCE_RESTRICTION("AudienceRestriction"), AUTHN_CONTEXT("AuthnContext"), AUTHENTICATING_AUTHORITY(
+            "AuthenticatingAuthority"), AUTHN_AUTHORITY_DESCRIPTOR("AuthnAuthorityDescriptor"), AUTHN_CONTEXT_CLASS_REF(
+            "AuthnContextClassRef"), AUTHN_CONTEXT_DECLARATION("AuthnContextDecl"), AUTHN_CONTEXT_DECLARATION_REF(
+            "AuthnContextDeclRef"), AUTHN_INSTANT("AuthnInstant"), AUTHN_REQUEST("AuthnRequest"), AUTHN_STATEMENT(
+            "AuthnStatement"), AUTHN_REQUESTS_SIGNED("AuthnRequestsSigned"), BASEID("BaseID"), BINDING("Binding"), CACHE_DURATION(
+            "cacheDuration"), COMPANY("Company"), CONDITIONS("Conditions"), COMPARISON("Comparison"), CONSENT("Consent"), CONTACT_PERSON("ContactPerson"), CONTACT_TYPE(
+            "contactType"), DESTINATION("Destination"), DNS_NAME("DNSName"), EMAIL_ADDRESS("EmailAddress"), ENCODING("Encoding"), ENCRYPTED_ASSERTION(
+            "EncryptedAssertion"), ENCRYPTED_ID("EncryptedID"), ENTITY_ID("entityID"), ENTITY_DESCRIPTOR("EntityDescriptor"), ENTITIES_DESCRIPTOR(
+            "EntitiesDescriptor"), EXTENSIONS("Extensions"), FORMAT("Format"), FRIENDLY_NAME("FriendlyName"), FORCE_AUTHN(
+            "ForceAuthn"), GIVEN_NAME("GivenName"), ID("ID"), IDP_SSO_DESCRIPTOR("IDPSSODescriptor"), INDEX("index"), INPUT_CONTEXT_ONLY(
+            "InputContextOnly"), IN_RESPONSE_TO("InResponseTo"), ISDEFAULT("isDefault"), IS_REQUIRED("isRequired"), IS_PASSIVE(
+            "IsPassive"), ISSUE_INSTANT("IssueInstant"), ISSUER("Issuer"), KEY_DESCRIPTOR("KeyDescriptor"), KEY_INFO("KeyInfo"), ENCRYPTION_METHOD("EncryptionMethod"), LANG(
+            "lang"), LANG_EN("en"), LOCATION("Location"), LOGOUT_REQUEST("LogoutRequest"), LOGOUT_RESPONSE("LogoutResponse"), MANAGE_NAMEID_SERVICE(
+            "ManageNameIDService"), METADATA_MIME("application/samlmetadata+xml"), METHOD("Method"), NAME("Name"), NAME_FORMAT(
+            "NameFormat"), NAMEID("NameID"), NAMEID_FORMAT("NameIDFormat"), NAMEID_MAPPING_SERVICE("NameIDMappingService"), NAMEID_POLICY(
+            "NameIDPolicy"), NAME_QUALIFIER("NameQualifier"), NOT_BEFORE("NotBefore"), NOT_ON_OR_AFTER("NotOnOrAfter"), ORGANIZATION(
+            "Organization"), ORGANIZATION_NAME("OrganizationName"), ORGANIZATION_DISPLAY_NAME("OrganizationDisplayName"), ORGANIZATION_URL(
+            "OrganizationURL"), PDP_DESCRIPTOR("PDPDescriptor"), PROTOCOL_BINDING("ProtocolBinding"), PROTOCOL_SUPPORT_ENUMERATION(
+            "protocolSupportEnumeration"), PROVIDER_NAME("ProviderName"), REQUESTED_AUTHN_CONTEXT("RequestedAuthnContext"), REASON(
+            "Reason"), RECIPIENT("Recipient"), REQUEST("Request"), REQUESTED_ATTRIBUTE("RequestedAttribute"), REQUEST_ABSTRACT(
+            "RequestAbstract"), RESPONSE("Response"), RESPONSE_LOCATION("ResponseLocation"), RETURN_CONTEXT("ReturnContext"), SESSION_INDEX(
+            "SessionIndex"), SERVICE_NAME("ServiceName"), SERVICE_DESCRIPTION("ServiceDescription"), SP_PROVIDED_ID(
+            "SPProvidedID"), SP_NAME_QUALIFIER("SPNameQualifier"), SP_SSO_DESCRIPTOR("SPSSODescriptor"), SIGNATURE("Signature"), SIGNATURE_SHA1_WITH_DSA(
+            "http://www.w3.org/2000/09/xmldsig#dsa-sha1"), SIGNATURE_SHA1_WITH_RSA("http://www.w3.org/2000/09/xmldsig#rsa-sha1"), SINGLE_SIGNON_SERVICE(
+            "SingleSignOnService"), SINGLE_LOGOUT_SERVICE("SingleLogoutService"), STATEMENT("Statement"), STATUS("Status"), STATUS_CODE(
+            "StatusCode"), STATUS_DETAIL("StatusDetail"), STATUS_MESSAGE("StatusMessage"), STATUS_RESPONSE_TYPE(
+            "StatusResponseType"), SUBJECT("Subject"), SUBJECT_CONFIRMATION("SubjectConfirmation"), SUBJECT_CONFIRMATION_DATA(
+            "SubjectConfirmationData"), SUBJECT_LOCALITY("SubjectLocality"), SURNAME("SurName"), TELEPHONE_NUMBER(
+            "TelephoneNumber"), TYPE("type"), USE("use"), VALUE("Value"), VALID_UNTIL("validUntil"), VERSION("Version"), VERSION_2_0(
+            "2.0"), WANT_AUTHN_REQUESTS_SIGNED("WantAuthnRequestsSigned"), WANT_ASSERTIONS_SIGNED("WantAssertionsSigned"), XACML_AUTHZ_DECISION_QUERY(
+            "XACMLAuthzDecisionQuery"), XACML_AUTHZ_DECISION_QUERY_TYPE("XACMLAuthzDecisionQueryType"), XACML_AUTHZ_DECISION_STATEMENT_TYPE(
+            "XACMLAuthzDecisionStatementType"), HTTP_POST_BINDING("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"), ONE_TIME_USE ("OneTimeUse"),
+            UNSOLICITED_RESPONSE_TARGET("TARGET"), UNSOLICITED_RESPONSE_SAML_VERSION("SAML_VERSION"), UNSOLICITED_RESPONSE_SAML_BINDING("SAML_BINDING"),
+            ROLE_DESCRIPTOR("RoleDescriptor");
+
+    private String name;
+
+    private JBossSAMLConstants(String val) {
+        this.name = val;
+    }
+
+    public String get() {
+        return this.name;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/JBossSAMLURIConstants.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/JBossSAMLURIConstants.java
new file mode 100755
index 0000000000..3833c56f38
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/JBossSAMLURIConstants.java
@@ -0,0 +1,129 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.constants;
+
+/**
+ * Define the constants based on URI
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 10, 2008
+ */
+public enum JBossSAMLURIConstants {
+    AC_PASSWORD_PROTECTED_TRANSPORT("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"), AC_PASSWORD(
+            "urn:oasis:names:tc:SAML:2.0:ac:classes:Password"), AC_TLS_CLIENT(
+            "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"), AC_PREVIOUS_SESSION(
+            "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession"), AC_UNSPECIFIED(
+            "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified"), AC_IP(
+            "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"),
+
+    ASSERTION_NSURI("urn:oasis:names:tc:SAML:2.0:assertion"), ATTRIBUTE_FORMAT_BASIC(
+            "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"), ATTRIBUTE_FORMAT_URI(
+            "urn:oasis:names:tc:SAML:2.0:attrname-format:uri"),
+
+    BEARER("urn:oasis:names:tc:SAML:2.0:cm:bearer"),
+
+    CLAIMS_EMAIL_ADDRESS_2005("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"), CLAIMS_EMAIL_ADDRESS(
+            "http://schemas.xmlsoap.org/claims/EmailAddress"), CLAIMS_GIVEN_NAME(
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), CLAIMS_NAME(
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"), CLAIMS_USER_PRINCIPAL_NAME_2005(
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), CLAIMS_USER_PRINCIPAL_NAME(
+            "http://schemas.xmlsoap.org/claims/UPN"), CLAIMS_COMMON_NAME("http://schemas.xmlsoap.org/claims/CommonName"), CLAIMS_GROUP(
+            "http://schemas.xmlsoap.org/claims/Group"), CLAIMS_ROLE(
+            "http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), CLAIMS_SURNAME(
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"), CLAIMS_PRIVATE_ID(
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier"), CLAIMS_NAME_IDENTIFIER(
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"), CLAIMS_AUTHENTICATION_METHOD(
+            "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod"), CLAIMS_DENY_ONLY_GROUP_SID(
+            "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid"), CLAIMS_DENY_ONLY_PRIMARY_SID(
+            "http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid"), CLAIMS_DENY_ONLY_PRIMARY_GROUP_SID(
+            "http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid"), CLAIMS_GROUP_SID(
+            "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid"), CLAIMS_PRIMARY_GROUP_SID(
+            "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid"), CLAIMS_PRIMARY_SID(
+            "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid"), CLAIMS_WINDOWS_ACCOUNT_NAME(
+            "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"), CLAIMS_PUID(
+            "http://schemas.xmlsoap.org/claims/PUID"),
+
+    HOLDER_OF_KEY("urn:oasis:names:tc:SAML:2.0:cm:holder-of-key"),
+
+    METADATA_NSURI("urn:oasis:names:tc:SAML:2.0:metadata"), METADATA_HTTP_REDIRECT_BINDING(
+            "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"),
+
+    NAMEID_FORMAT_TRANSIENT("urn:oasis:names:tc:SAML:2.0:nameid-format:transient"), NAMEID_FORMAT_PERSISTENT(
+            "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"), NAMEID_FORMAT_UNSPECIFIED(
+            "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"), NAMEID_FORMAT_EMAIL(
+            "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"), NAMEID_FORMAT_X509SUBJECTNAME(
+            "urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"), NAMEID_FORMAT_WINDOWS_DOMAIN_NAME(
+            "urn:oasis:names:tc:SAML:1.1:nameid-format:WindowsDomainQualifiedName"), NAMEID_FORMAT_KERBEROS(
+            "urn:oasis:names:tc:SAML:2.0:nameid-format:kerberos"), NAMEID_FORMAT_ENTITY(
+            "urn:oasis:names:tc:SAML:2.0:nameid-format:entity"),
+
+    PROTOCOL_NSURI("urn:oasis:names:tc:SAML:2.0:protocol"),
+
+    SIGNATURE_DSA_SHA1("http://www.w3.org/2000/09/xmldsig#dsa-sha1"), SIGNATURE_RSA_SHA1(
+            "http://www.w3.org/2000/09/xmldsig#rsa-sha1"),
+
+    SAML_HTTP_POST_BINDING("urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"), SAML_HTTP_REDIRECT_BINDING(
+            "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"),
+
+    SAML_11_NS("urn:oasis:names:tc:SAML:1.0:assertion"),
+
+    SUBJECT_CONFIRMATION_BEARER("urn:oasis:names:tc:SAML:2.0:cm:bearer"),
+
+    STATUS_AUTHNFAILED("urn:oasis:names:tc:SAML:2.0:status:AuthnFailed"), STATUS_INVALID_ATTRNAMEVAL(
+            "urn:oasis:names:tc:SAML:2.0:status:InvalidAttrnameOrValue"), STATUS_INVALID_NAMEIDPOLICY(
+            "urn:oasis:names:tc:SAML:2.0:status:InvalidNameIDPolicy"), STATUS_NOAUTHN_CTX(
+            "urn:oasis:names:tc:SAML:2.0:status:NoAuthnContext"), STATUS_NO_AVAILABLE_IDP(
+            "urn:oasis:names:tc:SAML:2.0:status:NoAvailableIDP"), STATUS_NO_PASSIVE(
+            "urn:oasis:names:tc:SAML:2.0:status:NoPassive"), STATUS_NO_SUPPORTED_IDP(
+            "urn:oasis:names:tc:SAML:2.0:status:NoSupportedIDP"), STATUS_PARTIAL_LOGOUT(
+            "urn:oasis:names:tc:SAML:2.0:status:PartialLogout"), STATUS_PROXYCOUNT_EXCEEDED(
+            "urn:oasis:names:tc:SAML:2.0:status:ProxyCountExceeded"), STATUS_REQUEST_DENIED(
+            "urn:oasis:names:tc:SAML:2.0:status:RequestDenied"), STATUS_REQUEST_UNSUPPORTED(
+            "urn:oasis:names:tc:SAML:2.0:status:RequestUnsupported"), STATUS_REQUEST_VERSION_DEPRECATED(
+            "urn:oasis:names:tc:SAML:2.0:status:RequestVersionDeprecated"), STATUS_REQUEST_VERSION_2HIGH(
+            "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooHigh"), STATUS_REQUEST_VERSION_2LOW(
+            "urn:oasis:names:tc:SAML:2.0:status:RequestVersionTooLow"), STATUS_RESOURCE_NOT_RECOGNIZED(
+            "urn:oasis:names:tc:SAML:2.0:status:ResourceNotRecognized"), STATUS_2MANY_RESPONSES(
+            "urn:oasis:names:tc:SAML:2.0:status:TooManyResponses"), STATUS_UNKNOWN_ATTR_PROFILE(
+            "urn:oasis:names:tc:SAML:2.0:status:UnknownAttributeProfile"), STATUS_UNKNOWN_PRINCIPAL(
+            "urn:oasis:names:tc:SAML:2.0:status:UnknownPrincipal"), STATUS_UNSUPPORTED_BINDING(
+            "urn:oasis:names:tc:SAML:2.0:status:UnsupportedBinding"),
+
+    STATUS_REQUESTOR("urn:oasis:names:tc:SAML:2.0:status:Requestor"), STATUS_RESPONDER(
+            "urn:oasis:names:tc:SAML:2.0:status:Responder"), STATUS_SUCCESS("urn:oasis:names:tc:SAML:2.0:status:Success"), STATUS_VERSION_MISMATCH(
+            "urn:oasis:names:tc:SAML:2.0:status:VersionMismatch"),
+
+    TRANSFORM_ENVELOPED_SIGNATURE("http://www.w3.org/2000/09/xmldsig#enveloped-signature"), TRANSFORM_C14N_EXCL_OMIT_COMMENTS(
+            "http://www.w3.org/2001/10/xml-exc-c14n#WithComments"),
+
+    XSI_PREFIX("xsi"), X500_PREFIX("x500"), X500_NSURI("urn:oasis:names:tc:SAML:2.0:profiles:attribute:X500"), XACML_NSURI(
+            "urn:oasis:names:tc:xacml:2.0:context:schema:os"), XACML_SAML_NSURI("urn:oasis:xacml:2.0:saml:assertion:schema:os"), XACML_SAML_PROTO_NSURI(
+            "urn:oasis:xacml:2.0:saml:protocol:schema:os"), XML("http://www.w3.org/XML/1998/namespace"), XMLSCHEMA_NSURI(
+            "http://www.w3.org/2001/XMLSchema"), XMLDSIG_NSURI("http://www.w3.org/2000/09/xmldsig#"), XMLENC_NSURI(
+            "http://www.w3.org/2001/04/xmlenc#"), XSI_NSURI("http://www.w3.org/2001/XMLSchema-instance");
+
+    private String uri = null;
+
+    private JBossSAMLURIConstants(String uristr) {
+        this.uri = uristr;
+    }
+
+    public String get() {
+        return this.uri;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/PicketLinkCommonConstants.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/PicketLinkCommonConstants.java
new file mode 100755
index 0000000000..62162cafca
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/PicketLinkCommonConstants.java
@@ -0,0 +1,30 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.constants;
+
+/**
+ * Common Constants
+ * @author anil saldhana
+ * @since Jan 28, 2013
+ */
+public interface PicketLinkCommonConstants {
+
+    String PBE_ALGORITHM = "PBEwithMD5andDES";
+    // Prefix to indicate a particular configuration property value is masked
+    String PASS_MASK_PREFIX = "MASK-";
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/SAMLAuthenticationContextClass.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/SAMLAuthenticationContextClass.java
new file mode 100755
index 0000000000..284bd73381
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/SAMLAuthenticationContextClass.java
@@ -0,0 +1,63 @@
+package org.keycloak.saml.common.constants;
+
+/**
+ * <p>A enum that maps a alias for each SAML Authentication Context Class.</p>
+ *
+ * @author pedroigor
+ */
+public enum SAMLAuthenticationContextClass {
+
+    INTERNET_PROTOCOL("internetProtocol", "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol"),
+    INTERNET_PROTOCOL_PASSWORD("internetProtocolPassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocolPassword"),
+    KERBEROS("kerberos", "urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos"),
+    MOBILE_ONE_FACTOR_UNREGISTERED("mobileOneFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorUnregistered"),
+    MOBILE_TWO_FACTOR_UNREGISTERED("mobileTwoFactorUnregistered", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorUnregistered"),
+    MOBILE_ONE_FACTOR_CONTRACT("mobileOneFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileOneFactorContract"),
+    MOBILE_TWO_FACTOR_CONTRACT("mobileTwoFactorContract", "urn:oasis:names:tc:SAML:2.0:ac:classes:MobileTwoFactorContract"),
+    PASSWORD("password", "urn:oasis:names:tc:SAML:2.0:ac:classes:password"),
+    PASSWORD_PROTECTED_TRANSPORT("passwordProtectedTransport", "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"),
+    PREVIOUS_SESSION("previousSession", "urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession"),
+    X509("X509", "urn:oasis:names:tc:SAML:2.0:ac:classes:X509"),
+    PGP("PGP", "urn:oasis:names:tc:SAML:2.0:ac:classes:PGP"),
+    SPKI("SPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:SPKI"),
+    XMLDSig("XMLDSig", "urn:oasis:names:tc:SAML:2.0:ac:classes:XMLDSig"),
+    SMARTCARD("smartcard", "urn:oasis:names:tc:SAML:2.0:ac:classes:Smartcard"),
+    SMARTCARD_PKI("smartcardPKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:SmartcardPKI"),
+    SOFTWARE_PKI("softwarePKI", "urn:oasis:names:tc:SAML:2.0:ac:classes:SoftwarePKI"),
+    TELEPHONY("telephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:Telephony"),
+    NOMAD_TELEPHONY("nomadTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:NomadTelephony"),
+    PERSONAL_TELEPHONY("personalTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:PersonalTelephony"),
+    AUTHENTICATED_TELEPHONY("authenticatedTelephony", "urn:oasis:names:tc:SAML:2.0:ac:classes:AuthenticatedTelephony"),
+    SECURE_REMOTE_PASSWORD("secureRemotePassword", "urn:oasis:names:tc:SAML:2.0:ac:classes:SecureRemotePassword"),
+    TLSClient("TLSClient", "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient"),
+    TIME_SYNC_TOKEN("timeSyncToken", "urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken"),
+    UNSPECIFIED("unspecified", "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified");
+
+    private final String alias;
+    private final String fqn;
+
+    SAMLAuthenticationContextClass(final String alias, final String fqn) {
+        this.alias = alias;
+        this.fqn = fqn;
+    }
+
+    public String getAlias() {
+        return this.alias;
+    }
+
+    public String getFqn() {
+        return this.fqn;
+    }
+
+    public static SAMLAuthenticationContextClass forAlias(String alias) {
+        if (alias != null) {
+            for (SAMLAuthenticationContextClass contextClass: values()) {
+                if (contextClass.getAlias().equals(alias.trim())) {
+                    return contextClass;
+                }
+            }
+        }
+
+        return null;
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/WSTrustConstants.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/WSTrustConstants.java
new file mode 100755
index 0000000000..000f041f08
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/constants/WSTrustConstants.java
@@ -0,0 +1,242 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2009, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.saml.common.constants;
+
+import javax.xml.namespace.QName;
+
+/**
+ * <p> This class defines the constants used throughout the WS-Trust implementation code. </p>
+ *
+ * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
+ * @author <a href="mailto:asaldhan@redhat.com">Anil Saldhana</a>
+ */
+public interface WSTrustConstants {
+
+    String BASE_NAMESPACE = "http://docs.oasis-open.org/ws-sx/ws-trust/200512";
+
+    String PREFIX = "wst";
+
+    // WS-Trust request types
+    String BATCH_ISSUE_REQUEST = BASE_NAMESPACE + "/BatchIssue";
+
+    String ISSUE_REQUEST = BASE_NAMESPACE + "/Issue";
+
+    String RENEW_REQUEST = BASE_NAMESPACE + "/Renew";
+
+    String CANCEL_REQUEST = BASE_NAMESPACE + "/Cancel";
+
+    String VALIDATE_REQUEST = BASE_NAMESPACE + "/Validate";
+
+    String BATCH_VALIDATE_REQUEST = BASE_NAMESPACE + "/BatchValidate";
+
+    // WS-Trust validation constants.
+    String STATUS_TYPE = BASE_NAMESPACE + "/RSTR/Status";
+
+    String STATUS_CODE_VALID = BASE_NAMESPACE + "/status/valid";
+
+    String STATUS_CODE_INVALID = BASE_NAMESPACE + "/status/invalid";
+
+    // WS-Trust key types.
+    String KEY_TYPE_BEARER = BASE_NAMESPACE + "/Bearer";
+
+    String KEY_TYPE_SYMMETRIC = BASE_NAMESPACE + "/SymmetricKey";
+
+    String KEY_TYPE_PUBLIC = BASE_NAMESPACE + "/PublicKey";
+
+    // WS-Trust binary secret types.
+    String BS_TYPE_ASYMMETRIC = BASE_NAMESPACE + "/AsymmetricKey";
+
+    String BS_TYPE_SYMMETRIC = BASE_NAMESPACE + "/SymmetricKey";
+
+    String BS_TYPE_NONCE = BASE_NAMESPACE + "/Nonce";
+
+    // WS-Trust computed key types.
+    String CK_PSHA1 = BASE_NAMESPACE + "/CK/PSHA1";
+
+    // WSS namespaces values.
+    String WSA_NS = "http://www.w3.org/2005/08/addressing";
+
+    String WSP_NS = "http://schemas.xmlsoap.org/ws/2004/09/policy";
+
+    String WSP_15_NS = "http://www.w3.org/ns/ws-policy";
+
+    String WSU_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd";
+
+    String WSSE_NS = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";
+
+    String WSSE11_NS = "http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd";
+
+    String XENC_NS = "http://www.w3.org/2001/04/xmlenc#";
+
+    String DSIG_NS = "http://www.w3.org/2000/09/xmldsig#";
+
+    String SAML2_ASSERTION_NS = "urn:oasis:names:tc:SAML:2.0:assertion";
+
+    // WSS Fault codes
+    QName SECURITY_TOKEN_UNAVAILABLE = new QName(WSSE_NS, "SecurityTokenUnavailable");
+
+    QName INVALID_SECURITY_TOKEN = new QName(WSSE_NS, "InvalidSecurityToken");
+
+    QName INVALID_SECURITY = new QName(WSSE_NS, "InvalidSecurity");
+
+    QName FAILED_AUTHENTICATION = new QName(WSSE_NS, "FailedAuthentication");
+
+    // Token Types
+    String RSTR_STATUS_TOKEN_TYPE = "http://docs.oasis-open.org/ws-sx/ws-trust/200512/RSTR/Status";
+
+    // Element Names
+    String BINARY_SECRET = "BinarySecret";
+
+    String CREATED = "Created";
+
+    String COMPUTED_KEY_ALGORITHM = "ComputedKeyAlgorithm";
+
+    String ENTROPY = "Entropy";
+
+    String EXPIRES = "Expires";
+
+    String ISSUER = "Issuer";
+
+    String ON_BEHALF_OF = "OnBehalfOf";
+
+    String COMPUTED_KEY = "ComputedKey";
+
+    String KEY_SIZE = "KeySize";
+
+    String KEY_TYPE = "KeyType";
+
+    String LIFETIME = "Lifetime";
+
+    String RENEWING = "Renewing";
+
+    String RST = "RequestSecurityToken";
+
+    String RSTR = "RequestSecurityTokenResponse";
+
+    String RST_COLLECTION = "RequestSecurityTokenCollection";
+
+    String RSTR_COLLECTION = "RequestSecurityTokenResponseCollection";
+
+    String REQUESTED_TOKEN = "RequestedSecurityToken";
+
+    String REQUESTED_TOKEN_CANCELLED = "RequestedTokenCancelled";
+
+    String REQUESTED_PROOF_TOKEN = "RequestedProofToken";
+
+    String REQUESTED_ATTACHED_REFERENCE = "RequestedAttachedReference";
+
+    String REQUESTED_UNATTACHED_REFERENCE = "RequestedUnattachedReference";
+
+    String REQUEST_TYPE = "RequestType";
+
+    String TOKEN_TYPE = "TokenType";
+
+    String CANCEL_TARGET = "CancelTarget";
+
+    String RENEW_TARGET = "RenewTarget";
+
+    String SECONDARY_PARAMETERS = "SecondaryParameters";
+
+    String VALIDATE_TARGET = "ValidateTarget";
+
+    String USE_KEY = "UseKey";
+
+    String STATUS = "Status";
+
+    String CODE = "Code";
+
+    String REASON = "Reason";
+
+    // Attribute Names
+    String ALLOW = "Allow";
+
+    String OK = "OK";
+
+    String RST_CONTEXT = "Context";
+
+    String TYPE = "Type";
+
+    String VALUE_TYPE = "ValueType";
+
+    public interface XMLDSig {
+
+        String DSIG_NS = "http://www.w3.org/2000/09/xmldsig#";
+
+        String EXPONENT = "Exponent";
+
+        String KEYINFO = "KeyInfo";
+
+        String KEYVALUE = "KeyValue";
+
+        String MODULUS = "Modulus";
+
+        String DSIG_PREFIX = "ds";
+
+        String RSA_KEYVALUE = "RSAKeyValue";
+
+        String DSA_KEYVALUE = "DSAKeyValue";
+
+        String X509DATA = "X509Data";
+
+        String X509CERT = "X509Certificate";
+
+        String P = "P";
+        String Q = "Q";
+        String G = "G";
+        String Y = "Y";
+        String SEED = "Seed";
+        String PGEN_COUNTER = "PgenCounter";
+    }
+
+    public interface XMLEnc {
+
+        String XMLENC_NS = "http://www.w3.org/2001/04/xmlenc#";
+
+        String ENCRYPTED_KEY = "EncryptedKey";
+    }
+
+    public interface WSSE {
+
+        String ID = "Id";
+
+        String KEY_IDENTIFIER = "KeyIdentifier";
+
+        String KEY_IDENTIFIER_VALUETYPE_SAML = "http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID";
+
+        String REFERENCE = "Reference";
+
+        String PREFIX_11 = "wsse11";
+
+        // http://www.ws-i.org/Profiles/KerberosTokenProfile-1.0.html#Kerberos_Security_Token_URI
+        String KERBEROS = "http://docs.oasis-open.org/wss/2005/xx/oasis-2005xx-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ";
+
+        String SECURITY_TOKEN_REFERENCE = "SecurityTokenReference";
+
+        String BINARY_SECURITY_TOKEN = "BinarySecurityToken";
+
+        String USERNAME_TOKEN = "UsernameToken";
+
+        String URI = "URI";
+
+        String VALUE_TYPE = "ValueType";
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ConfigurationException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ConfigurationException.java
new file mode 100755
index 0000000000..dd1b9ddf60
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ConfigurationException.java
@@ -0,0 +1,46 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception indicating an issue with the configuration
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since May 22, 2009
+ */
+public class ConfigurationException extends GeneralSecurityException {
+    private static final long serialVersionUID = 1L;
+
+    public ConfigurationException() {
+        super();
+    }
+
+    public ConfigurationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public ConfigurationException(String message) {
+        super(message);
+    }
+
+    public ConfigurationException(Throwable cause) {
+        super(cause);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/NotImplementedException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/NotImplementedException.java
new file mode 100755
index 0000000000..e49603a422
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/NotImplementedException.java
@@ -0,0 +1,36 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2012, Red Hat, Inc., and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.saml.common.exceptions;
+
+/**
+ * <p>An exception that indicates that something is not ready for use. Usually, this exception is thrown from methods not
+ * fully implemented or tested but available for invocation.</p>
+ *
+ * @author Pedro Igor
+ */
+public class NotImplementedException extends PicketLinkException {
+
+    public NotImplementedException(String message) {
+        super(message);
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ParsingException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ParsingException.java
new file mode 100755
index 0000000000..fb02e6f95a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ParsingException.java
@@ -0,0 +1,64 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions;
+
+import javax.xml.stream.Location;
+import javax.xml.stream.XMLStreamException;
+import java.security.GeneralSecurityException;
+
+/**
+ * General Exception indicating parsing exception
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since May 22, 2009
+ */
+public class ParsingException extends GeneralSecurityException {
+    private static final long serialVersionUID = 1L;
+
+    private Location location;
+
+    public ParsingException() {
+        super();
+    }
+
+    public ParsingException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public ParsingException(String message) {
+        super(message);
+    }
+
+    public ParsingException(Throwable cause) {
+        super(cause);
+    }
+
+    public ParsingException(XMLStreamException xmle) {
+        super(xmle);
+        location = xmle.getLocation();
+    }
+
+    public Location getLocation() {
+        return location;
+    }
+
+    @Override
+    public String toString() {
+        return "ParsingException [location=" + location + "]" + super.toString();
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/PicketLinkException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/PicketLinkException.java
new file mode 100755
index 0000000000..0a6645da14
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/PicketLinkException.java
@@ -0,0 +1,47 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions;
+
+/**
+ * <p>Any exception that is raised by the security module extends from this runtime exception class, making it easy for
+ * other modules and extensions to catch all security-related exceptions in a single catch block, if need be.
+ * </p>
+ *
+ * <p>This class is used as the root instead of {@link SecurityException} to avoid confusion and potential conflicts. Eg.: many other
+ * frameworks and products (eg.: JEE containers) relies on the {@link SecurityException} to perform some special handling.</p>
+ */
+public class PicketLinkException extends RuntimeException {
+
+    private static final long serialVersionUID = 789326682407249952L;
+
+    public PicketLinkException() {
+        super();
+    }
+
+    public PicketLinkException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public PicketLinkException(String message) {
+        super(message);
+    }
+
+    public PicketLinkException(Throwable cause) {
+        super(cause);
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ProcessingException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ProcessingException.java
new file mode 100755
index 0000000000..313e9e10f0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/ProcessingException.java
@@ -0,0 +1,46 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception to indicate a server processing error
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since May 22, 2009
+ */
+public class ProcessingException extends GeneralSecurityException {
+    private static final long serialVersionUID = 1L;
+
+    public ProcessingException() {
+        super();
+    }
+
+    public ProcessingException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public ProcessingException(String message) {
+        super(message);
+    }
+
+    public ProcessingException(Throwable cause) {
+        super(cause);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyConfigurationException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyConfigurationException.java
new file mode 100755
index 0000000000..f8fc73615a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyConfigurationException.java
@@ -0,0 +1,44 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions;
+
+/**
+ * ConfigurationException in the TrustKeyManager
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since May 22, 2009
+ */
+public class TrustKeyConfigurationException extends ConfigurationException {
+    private static final long serialVersionUID = 1L;
+
+    public TrustKeyConfigurationException() {
+        super();
+    }
+
+    public TrustKeyConfigurationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public TrustKeyConfigurationException(String message) {
+        super(message);
+    }
+
+    public TrustKeyConfigurationException(Throwable cause) {
+        super(cause);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyProcessingException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyProcessingException.java
new file mode 100755
index 0000000000..e08644ad17
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/TrustKeyProcessingException.java
@@ -0,0 +1,44 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions;
+
+/**
+ * Processing Exception in the trust key manager
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since May 22, 2009
+ */
+public class TrustKeyProcessingException extends ProcessingException {
+    private static final long serialVersionUID = 1L;
+
+    public TrustKeyProcessingException() {
+        super();
+    }
+
+    public TrustKeyProcessingException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public TrustKeyProcessingException(String message) {
+        super(message);
+    }
+
+    public TrustKeyProcessingException(Throwable cause) {
+        super(cause);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/AssertionExpiredException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/AssertionExpiredException.java
new file mode 100755
index 0000000000..3877363ee2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/AssertionExpiredException.java
@@ -0,0 +1,54 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions.fed;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Security Exception indicating expiration of SAML2 assertion
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 12, 2008
+ */
+public class AssertionExpiredException extends GeneralSecurityException {
+    private static final long serialVersionUID = 1L;
+
+    protected String id;
+
+    public AssertionExpiredException() {
+    }
+
+    public AssertionExpiredException(String message, Throwable cause) {
+    }
+
+    public AssertionExpiredException(String msg) {
+        super(msg);
+    }
+
+    public AssertionExpiredException(Throwable cause) {
+        super(cause);
+    }
+
+    public String getId() {
+        return id;
+    }
+
+    public void setId(String id) {
+        this.id = id;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssueInstantMissingException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssueInstantMissingException.java
new file mode 100755
index 0000000000..aae6dd5a81
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssueInstantMissingException.java
@@ -0,0 +1,46 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions.fed;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception indicating that the IssueInstant is missing
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 3, 2009
+ */
+public class IssueInstantMissingException extends GeneralSecurityException {
+    private static final long serialVersionUID = 1L;
+
+    public IssueInstantMissingException() {
+        super();
+    }
+
+    public IssueInstantMissingException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public IssueInstantMissingException(String msg) {
+        super(msg);
+    }
+
+    public IssueInstantMissingException(Throwable cause) {
+        super(cause);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssuerNotTrustedException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssuerNotTrustedException.java
new file mode 100755
index 0000000000..a9cc5244a4
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/IssuerNotTrustedException.java
@@ -0,0 +1,46 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions.fed;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Exception indicating that the issuer is not trusted
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 26, 2009
+ */
+public class IssuerNotTrustedException extends GeneralSecurityException {
+    private static final long serialVersionUID = 1L;
+
+    public IssuerNotTrustedException() {
+        super();
+    }
+
+    public IssuerNotTrustedException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public IssuerNotTrustedException(String msg) {
+        super(msg);
+    }
+
+    public IssuerNotTrustedException(Throwable cause) {
+        super(cause);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/SignatureValidationException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/SignatureValidationException.java
new file mode 100755
index 0000000000..59f0b828ed
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/SignatureValidationException.java
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions.fed;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * Indicates the failure of signature validation
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jul 28, 2011
+ */
+public class SignatureValidationException extends GeneralSecurityException {
+    private static final long serialVersionUID = 1L;
+
+    public SignatureValidationException() {
+    }
+
+    public SignatureValidationException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    public SignatureValidationException(String msg) {
+        super(msg);
+    }
+
+    public SignatureValidationException(Throwable cause) {
+        super(cause);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/WSTrustException.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/WSTrustException.java
new file mode 100755
index 0000000000..75f56ffb71
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/exceptions/fed/WSTrustException.java
@@ -0,0 +1,67 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.exceptions.fed;
+
+import java.security.GeneralSecurityException;
+
+/**
+ * <p>
+ * Exception used to convey that an error has happened when handling a WS-Trust request message.
+ * </p>
+ *
+ * @author <a href="mailto:sguilhen@redhat.com">Stefan Guilhen</a>
+ */
+public class WSTrustException extends GeneralSecurityException {
+
+    private static final long serialVersionUID = -232066282004315310L;
+
+    /**
+     * <p>
+     * Creates an instance of {@code WSTrustException} using the specified error message.
+     * </p>
+     *
+     * @param message the error message.
+     */
+    public WSTrustException(String message) {
+        super(message);
+    }
+
+    /**
+     * <p>
+     * Creates an instance of {@code WSTrustException} using the specified error message and cause.
+     * </p>
+     *
+     * @param message the error message.
+     * @param cause a {@code Throwable} representing the cause of the error.
+     */
+    public WSTrustException(String message, Throwable cause) {
+        super(message, cause);
+    }
+
+    /**
+     * <p>
+     * Creates an instance of {@code WSTrustException} using the specified {@link Throwable}.
+     * </p>
+     *
+     * @param message the error message.
+     */
+    public WSTrustException(Throwable t) {
+        super(t);
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/parsers/AbstractParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/parsers/AbstractParser.java
new file mode 100755
index 0000000000..3b5d545aff
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/parsers/AbstractParser.java
@@ -0,0 +1,136 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.parsers;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.common.util.SystemPropertiesUtil;
+
+import javax.xml.stream.EventFilter;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.events.Characters;
+import javax.xml.stream.events.XMLEvent;
+import java.io.InputStream;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Base class for parsers
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 12, 2010
+ */
+public abstract class AbstractParser implements ParserNamespaceSupport {
+
+    protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Get the JAXP {@link XMLInputFactory}
+     *
+     * @return
+     */
+    protected XMLInputFactory getXMLInputFactory() {
+        boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
+                .equalsIgnoreCase("true");
+        ClassLoader prevTCCL = getTCCL();
+        try {
+            if (tccl_jaxp) {
+                setTCCL(getClass().getClassLoader());
+            }
+            return XMLInputFactory.newInstance();
+        } finally {
+            if (tccl_jaxp) {
+                setTCCL(prevTCCL);
+            }
+        }
+    }
+
+    /**
+     * Parse an InputStream for payload
+     *
+     * @param configStream
+     *
+     * @return
+     *
+     * @throws {@link IllegalArgumentException}
+     * @throws {@link IllegalArgumentException} when the configStream is null
+     */
+    public Object parse(InputStream configStream) throws ParsingException {
+        if (configStream == null)
+            throw logger.nullArgumentError("InputStream");
+
+        XMLInputFactory xmlInputFactory = getXMLInputFactory();
+
+        XMLEventReader xmlEventReader = StaxParserUtil.getXMLEventReader(configStream);
+
+        try {
+            xmlEventReader = xmlInputFactory.createFilteredReader(xmlEventReader, new EventFilter() {
+                public boolean accept(XMLEvent xmlEvent) {
+                    // We are going to disregard characters that are new line and whitespace
+                    if (xmlEvent.isCharacters()) {
+                        Characters chars = xmlEvent.asCharacters();
+                        String data = chars.getData();
+                        data = valid(data) ? data.trim() : null;
+                        return valid(data);
+                    } else {
+                        return xmlEvent.isStartElement() || xmlEvent.isEndElement();
+                    }
+                }
+
+                private boolean valid(String str) {
+                    return str != null && str.length() > 0;
+                }
+            });
+        } catch (XMLStreamException e) {
+            throw logger.parserException(e);
+        }
+
+        return parse(xmlEventReader);
+    }
+
+    private ClassLoader getTCCL() {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        } else {
+            return Thread.currentThread().getContextClassLoader();
+        }
+    }
+
+    private void setTCCL(final ClassLoader paramCl) {
+        if (System.getSecurityManager() != null) {
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    Thread.currentThread().setContextClassLoader(paramCl);
+                    return null;
+                }
+            });
+        } else {
+            Thread.currentThread().setContextClassLoader(paramCl);
+        }
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/parsers/ParserNamespaceSupport.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/parsers/ParserNamespaceSupport.java
new file mode 100755
index 0000000000..197143c197
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/parsers/ParserNamespaceSupport.java
@@ -0,0 +1,54 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.parsers;
+
+import org.keycloak.saml.common.exceptions.ParsingException;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+
+/**
+ * <p>
+ * Interface to indicate the parser supports a particular namespace.
+ * </p>
+ *
+ * <p>
+ * This class needs to be moved to the security common project.
+ * </p>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Feb 5, 2010
+ */
+public interface ParserNamespaceSupport {
+    /**
+     * Parse the event stream
+     *
+     * @param xmlEventReader
+     * @return
+     * @throws ParsingException
+     */
+    Object parse(XMLEventReader xmlEventReader) throws ParsingException;
+
+    /**
+     * Returns whether the parser supports parsing a particular namespace
+     *
+     * @param qname
+     * @return
+     */
+    boolean supports(QName qname);
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/util/Base64.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/Base64.java
new file mode 100755
index 0000000000..928a8f46b6
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/Base64.java
@@ -0,0 +1,1279 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.util;
+
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * Encodes and decodes to and from Base64 notation.
+ *
+ * <p>
+ * Change Log:
+ * </p>
+ * <ul>
+ * <li>v2.1 - Cleaned up javadoc comments and unused variables and methods. Added some convenience methods for reading
+ * and
+ * writing to and from files.</li>
+ * <li>v2.0.2 - Now specifies UTF-8 encoding in places where the code fails on systems with other encodings (like
+ * EBCDIC).</li>
+ * <li>v2.0.1 - Fixed an error when decoding a single byte, that is, when the encoded data was a single byte.</li>
+ * <li>v2.0 - I got rid of methods that used booleans to set options. Now everything is more consolidated and cleaner.
+ * The code
+ * now detects when data that's being decoded is gzip-compressed and will decompress it automatically. Generally things
+ * are
+ * cleaner. You'll probably have to change some method calls that you were making to support the new options format (
+ * <tt>int</tt>s that you "OR" together).</li>
+ * <li>v1.5.1 - Fixed bug when decompressing and decoding to a byte[] using <tt>decode( String s, boolean
+ * gzipCompressed
+ * )</tt>.
+ * Added the ability to "suspend" encoding in the Output Stream so you can turn on and off the encoding if you need to
+ * embed
+ * base64 data in an otherwise "normal" stream (like an XML file).</li>
+ * <li>v1.5 - Output stream pases on flush() command but doesn't do anything itself. This helps when using GZIP
+ * streams.
+ * Added
+ * the ability to GZip-compress objects before encoding them.</li>
+ * <li>v1.4 - Added helper methods to read/write files.</li>
+ * <li>v1.3.6 - Fixed OutputStream.flush() so that 'position' is reset.</li>
+ * <li>v1.3.5 - Added flag to turn on and off line breaks. Fixed bug in input stream where last buffer being read, if
+ * not
+ * completely full, was not returned.</li>
+ * <li>v1.3.4 - Fixed when "improperly padded stream" error was thrown at the wrong time.</li>
+ * <li>v1.3.3 - Fixed I/O streams which were totally messed up.</li>
+ * </ul>
+ *
+ * <p>
+ * I am placing this code in the Public Domain. Do with it as you will. This software comes with no guarantees or
+ * warranties but
+ * with plenty of well-wishing instead! Please visit <a href="http://iharder.net/base64">http://iharder.net/base64</a>
+ * periodically to check for updates or to contribute improvements.
+ * </p>
+ *
+ * @author Robert Harder
+ * @author rob@iharder.net
+ * @version 2.1
+ */
+public class Base64 {
+
+    private static Logger logger = Logger.getLogger(Base64.class.getCanonicalName());
+
+    /* ******** P U B L I C F I E L D S ******** */
+
+    /** No options specified. Value is zero. */
+    public static final int NO_OPTIONS = 0;
+
+    /** Specify encoding. */
+    public static final int ENCODE = 1;
+
+    /** Specify decoding. */
+    public static final int DECODE = 0;
+
+    /** Specify that data should be gzip-compressed. */
+    public static final int GZIP = 2;
+
+    /** Don't break lines when encoding (violates strict Base64 specification) */
+    public static final int DONT_BREAK_LINES = 8;
+
+    /* ******** P R I V A T E F I E L D S ******** */
+
+    /** Maximum line length (76) of Base64 output. */
+    private static final int MAX_LINE_LENGTH = 76;
+
+    /** The equals sign (=) as a byte. */
+    private static final byte EQUALS_SIGN = (byte) '=';
+
+    /** The new line character (\n) as a byte. */
+    private static final byte NEW_LINE = (byte) '\n';
+
+    /** Preferred encoding. */
+    private static final String PREFERRED_ENCODING = "UTF-8";
+
+    /** The 64 valid Base64 values. */
+    private static final byte[] ALPHABET;
+    private static final byte[] _NATIVE_ALPHABET = /* May be something funny like EBCDIC */
+            {(byte) 'A', (byte) 'B', (byte) 'C', (byte) 'D', (byte) 'E', (byte) 'F', (byte) 'G', (byte) 'H', (byte) 'I', (byte) 'J',
+                    (byte) 'K', (byte) 'L', (byte) 'M', (byte) 'N', (byte) 'O', (byte) 'P', (byte) 'Q', (byte) 'R', (byte) 'S',
+                    (byte) 'T', (byte) 'U', (byte) 'V', (byte) 'W', (byte) 'X', (byte) 'Y', (byte) 'Z', (byte) 'a', (byte) 'b',
+                    (byte) 'c', (byte) 'd', (byte) 'e', (byte) 'f', (byte) 'g', (byte) 'h', (byte) 'i', (byte) 'j', (byte) 'k',
+                    (byte) 'l', (byte) 'm', (byte) 'n', (byte) 'o', (byte) 'p', (byte) 'q', (byte) 'r', (byte) 's', (byte) 't',
+                    (byte) 'u', (byte) 'v', (byte) 'w', (byte) 'x', (byte) 'y', (byte) 'z', (byte) '0', (byte) '1', (byte) '2',
+                    (byte) '3', (byte) '4', (byte) '5', (byte) '6', (byte) '7', (byte) '8', (byte) '9', (byte) '+', (byte) '/'};
+
+    /** Determine which ALPHABET to use. */
+    static {
+        byte[] __bytes;
+        try {
+            __bytes = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/".getBytes(PREFERRED_ENCODING);
+        } // end try
+        catch (java.io.UnsupportedEncodingException use) {
+            __bytes = _NATIVE_ALPHABET; // Fall back to native encoding
+        } // end catch
+        ALPHABET = __bytes;
+    } // end static
+
+    /**
+     * Translates a Base64 value to either its 6-bit reconstruction value or a negative number indicating some other meaning.
+     **/
+    private static final byte[] DECODABET = {-9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 0 - 8
+            -5, -5, // Whitespace: Tab and Linefeed
+            -9, -9, // Decimal 11 - 12
+            -5, // Whitespace: Carriage Return
+            -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 14 - 26
+            -9, -9, -9, -9, -9, // Decimal 27 - 31
+            -5, // Whitespace: Space
+            -9, -9, -9, -9, -9, -9, -9, -9, -9, -9, // Decimal 33 - 42
+            62, // Plus sign at decimal 43
+            -9, -9, -9, // Decimal 44 - 46
+            63, // Slash at decimal 47
+            52, 53, 54, 55, 56, 57, 58, 59, 60, 61, // Numbers zero through nine
+            -9, -9, -9, // Decimal 58 - 60
+            -1, // Equals sign at decimal 61
+            -9, -9, -9, // Decimal 62 - 64
+            0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, // Letters 'A' through 'N'
+            14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, // Letters 'O' through 'Z'
+            -9, -9, -9, -9, -9, -9, // Decimal 91 - 96
+            26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, // Letters 'a' through 'm'
+            39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, // Letters 'n' through 'z'
+            -9, -9, -9, -9 // Decimal 123 - 126
+    /*
+     * ,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 127 - 139 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 140 -
+     * 152 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 153 - 165 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 166 -
+     * 178 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 179 - 191 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 192 -
+     * 204 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 205 - 217 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 218 -
+     * 230 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9, // Decimal 231 - 243 -9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9,-9 // Decimal 244 - 255
+     */
+    };
+
+    // I think I end up not using the BAD_ENCODING indicator.
+    // private static final byte BAD_ENCODING = -9; // Indicates error in encoding
+    private static final byte WHITE_SPACE_ENC = -5; // Indicates white space in encoding
+    private static final byte EQUALS_SIGN_ENC = -1; // Indicates equals sign in encoding
+
+    /** Defeats instantiation. */
+    private Base64() {
+    }
+
+    /* ******** E N C O D I N G M E T H O D S ******** */
+
+    /**
+     * Encodes up to the first three bytes of array <var>threeBytes</var> and returns a four-byte array in Base64 notation. The
+     * actual number of significant bytes in your array is given by <var>numSigBytes</var>. The array <var>threeBytes</var>
+     * needs only be as big as <var>numSigBytes</var>. Code can reuse a byte array by passing a four-byte array as
+     * <var>b4</var>.
+     *
+     * @param b4 A reusable byte array to reduce array instantiation
+     * @param threeBytes the array to convert
+     * @param numSigBytes the number of significant bytes in your array
+     * @return four byte array in Base64 notation.
+     * @since 1.5.1
+     */
+    private static byte[] encode3to4(byte[] b4, byte[] threeBytes, int numSigBytes) {
+        encode3to4(threeBytes, 0, numSigBytes, b4, 0);
+        return b4;
+    } // end encode3to4
+
+    /**
+     * Encodes up to three bytes of the array <var>source</var> and writes the resulting four Base64 bytes to
+     * <var>destination</var>. The source and destination arrays can be manipulated anywhere along their length by specifying
+     * <var>srcOffset</var> and <var>destOffset</var>. This method does not check to make sure your arrays are large enough to
+     * accomodate <var>srcOffset</var> + 3 for the <var>source</var> array or <var>destOffset</var> + 4 for the
+     * <var>destination</var> array. The actual number of significant bytes in your array is given by <var>numSigBytes</var>.
+     *
+     * @param source the array to convert
+     * @param srcOffset the index where conversion begins
+     * @param numSigBytes the number of significant bytes in your array
+     * @param destination the array to hold the conversion
+     * @param destOffset the index where output will be put
+     * @return the <var>destination</var> array
+     * @since 1.3
+     */
+    private static byte[] encode3to4(byte[] source, int srcOffset, int numSigBytes, byte[] destination, int destOffset) {
+        // 1 2 3
+        // 01234567890123456789012345678901 Bit position
+        // --------000000001111111122222222 Array position from threeBytes
+        // --------| || || || | Six bit groups to index ALPHABET
+        // >>18 >>12 >> 6 >> 0 Right shift necessary
+        // 0x3f 0x3f 0x3f Additional AND
+
+        // Create buffer with zero-padding if there are only one or two
+        // significant bytes passed in the array.
+        // We have to shift left 24 in order to flush out the 1's that appear
+        // when Java treats a value as negative that is cast from a byte to an int.
+        int inBuff = (numSigBytes > 0 ? ((source[srcOffset] << 24) >>> 8) : 0)
+                | (numSigBytes > 1 ? ((source[srcOffset + 1] << 24) >>> 16) : 0)
+                | (numSigBytes > 2 ? ((source[srcOffset + 2] << 24) >>> 24) : 0);
+
+        switch (numSigBytes) {
+            case 3:
+                destination[destOffset] = ALPHABET[(inBuff >>> 18)];
+                destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f];
+                destination[destOffset + 2] = ALPHABET[(inBuff >>> 6) & 0x3f];
+                destination[destOffset + 3] = ALPHABET[(inBuff) & 0x3f];
+                return destination;
+
+            case 2:
+                destination[destOffset] = ALPHABET[(inBuff >>> 18)];
+                destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f];
+                destination[destOffset + 2] = ALPHABET[(inBuff >>> 6) & 0x3f];
+                destination[destOffset + 3] = EQUALS_SIGN;
+                return destination;
+
+            case 1:
+                destination[destOffset] = ALPHABET[(inBuff >>> 18)];
+                destination[destOffset + 1] = ALPHABET[(inBuff >>> 12) & 0x3f];
+                destination[destOffset + 2] = EQUALS_SIGN;
+                destination[destOffset + 3] = EQUALS_SIGN;
+                return destination;
+
+            default:
+                return destination;
+        } // end switch
+    } // end encode3to4
+
+    /**
+     * Serializes an object and returns the Base64-encoded version of that serialized object. If the object cannot be serialized
+     * or there is another error, the method will return <tt>null</tt>. The object is not GZip-compressed before being encoded.
+     *
+     * @param serializableObject The object to encode
+     * @return The Base64-encoded object
+     * @since 1.4
+     */
+    public static String encodeObject(java.io.Serializable serializableObject) {
+        return encodeObject(serializableObject, NO_OPTIONS);
+    } // end encodeObject
+
+    /**
+     * Serializes an object and returns the Base64-encoded version of that serialized object. If the object cannot be serialized
+     * or there is another error, the method will return <tt>null</tt>.
+     * <p>
+     * Valid options:
+     *
+     * <pre>
+     *   GZIP: gzip-compresses object before encoding it.
+     *   DONT_BREAK_LINES: don't break lines at 76 characters
+     *     <i>Note: Technically, this makes your encoding non-compliant.</i>
+     * </pre>
+     * <p>
+     * Example: <code>encodeObject( myObj, Base64.GZIP )</code> or
+     * <p>
+     * Example: <code>encodeObject( myObj, Base64.GZIP | Base64.DONT_BREAK_LINES )</code>
+     *
+     * @param serializableObject The object to encode
+     * @param options Specified options
+     * @return The Base64-encoded object
+     * @see Base64#GZIP
+     * @see Base64#DONT_BREAK_LINES
+     * @since 2.0
+     */
+    public static String encodeObject(java.io.Serializable serializableObject, int options) {
+        // Streams
+        java.io.ByteArrayOutputStream baos = null;
+        java.io.OutputStream b64os = null;
+        java.io.ObjectOutputStream oos = null;
+        java.util.zip.GZIPOutputStream gzos = null;
+
+        // Isolate options
+        int gzip = (options & GZIP);
+        int dontBreakLines = (options & DONT_BREAK_LINES);
+
+        try {
+            // ObjectOutputStream -> (GZIP) -> Base64 -> ByteArrayOutputStream
+            baos = new java.io.ByteArrayOutputStream();
+            b64os = new Base64.OutputStream(baos, ENCODE | dontBreakLines);
+
+            // GZip?
+            if (gzip == GZIP) {
+                gzos = new java.util.zip.GZIPOutputStream(b64os);
+                oos = new java.io.ObjectOutputStream(gzos);
+            } // end if: gzip
+            else
+                oos = new java.io.ObjectOutputStream(b64os);
+
+            oos.writeObject(serializableObject);
+        } // end try
+        catch (java.io.IOException e) {
+            e.printStackTrace();
+            return null;
+        } // end catch
+        finally {
+            try {
+                oos.close();
+            } catch (Exception e) {
+            }
+            try {
+                gzos.close();
+            } catch (Exception e) {
+            }
+            try {
+                b64os.close();
+            } catch (Exception e) {
+            }
+            try {
+                baos.close();
+            } catch (Exception e) {
+            }
+        } // end finally
+
+        // Return value according to relevant encoding.
+        try {
+            return new String(baos.toByteArray(), PREFERRED_ENCODING);
+        } // end try
+        catch (java.io.UnsupportedEncodingException uue) {
+            return new String(baos.toByteArray());
+        } // end catch
+
+    } // end encode
+
+    /**
+     * Encodes a byte array into Base64 notation. Does not GZip-compress data.
+     *
+     * @param source The data to convert
+     * @return the encode bytes
+     * @since 1.4
+     */
+    public static String encodeBytes(byte[] source) {
+        return encodeBytes(source, 0, source.length, NO_OPTIONS);
+    } // end encodeBytes
+
+    /**
+     * Encodes a byte array into Base64 notation.
+     * <p>
+     * Valid options:
+     *
+     * <pre>
+     *   GZIP: gzip-compresses object before encoding it.
+     *   DONT_BREAK_LINES: don't break lines at 76 characters
+     *     <i>Note: Technically, this makes your encoding non-compliant.</i>
+     * </pre>
+     * <p>
+     * Example: <code>encodeBytes( myData, Base64.GZIP )</code> or
+     * <p>
+     * Example: <code>encodeBytes( myData, Base64.GZIP | Base64.DONT_BREAK_LINES )</code>
+     *
+     *
+     * @param source The data to convert
+     * @param options Specified options
+     * @return the encoded bytes
+     * @see Base64#GZIP
+     * @see Base64#DONT_BREAK_LINES
+     * @since 2.0
+     */
+    public static String encodeBytes(byte[] source, int options) {
+        return encodeBytes(source, 0, source.length, options);
+    } // end encodeBytes
+
+    /**
+     * Encodes a byte array into Base64 notation. Does not GZip-compress data.
+     *
+     * @param source The data to convert
+     * @param off Offset in array where conversion should begin
+     * @param len Length of data to convert
+     * @return the text node
+     * @since 1.4
+     */
+    public static String encodeBytes(byte[] source, int off, int len) {
+        return encodeBytes(source, off, len, NO_OPTIONS);
+    } // end encodeBytes
+
+    /**
+     * Encodes a byte array into Base64 notation.
+     * <p>
+     * Valid options:
+     *
+     * <pre>
+     *   GZIP: gzip-compresses object before encoding it.
+     *   DONT_BREAK_LINES: don't break lines at 76 characters
+     *     <i>Note: Technically, this makes your encoding non-compliant.</i>
+     * </pre>
+     * <p>
+     * Example: <code>encodeBytes( myData, Base64.GZIP )</code> or
+     * <p>
+     * Example: <code>encodeBytes( myData, Base64.GZIP | Base64.DONT_BREAK_LINES )</code>
+     *
+     *
+     * @param source The data to convert
+     * @param off Offset in array where conversion should begin
+     * @param len Length of data to convert
+     * @param options Specified options
+     * @see Base64#GZIP
+     * @see Base64#DONT_BREAK_LINES
+     * @return the text node
+     * @since 2.0
+     */
+    public static String encodeBytes(byte[] source, int off, int len, int options) {
+        // Isolate options
+        int dontBreakLines = (options & DONT_BREAK_LINES);
+        int gzip = (options & GZIP);
+
+        // Compress?
+        if (gzip == GZIP) {
+            java.io.ByteArrayOutputStream baos = null;
+            java.util.zip.GZIPOutputStream gzos = null;
+            Base64.OutputStream b64os = null;
+
+            try {
+                // GZip -> Base64 -> ByteArray
+                baos = new java.io.ByteArrayOutputStream();
+                b64os = new Base64.OutputStream(baos, ENCODE | dontBreakLines);
+                gzos = new java.util.zip.GZIPOutputStream(b64os);
+
+                gzos.write(source, off, len);
+                gzos.close();
+            } // end try
+            catch (java.io.IOException e) {
+                e.printStackTrace();
+                return null;
+            } // end catch
+            finally {
+                try {
+                    gzos.close();
+                } catch (Exception e) {
+                }
+                try {
+                    b64os.close();
+                } catch (Exception e) {
+                }
+                try {
+                    baos.close();
+                } catch (Exception e) {
+                }
+            } // end finally
+
+            // Return value according to relevant encoding.
+            try {
+                return new String(baos.toByteArray(), PREFERRED_ENCODING);
+            } // end try
+            catch (java.io.UnsupportedEncodingException uue) {
+                return new String(baos.toByteArray());
+            } // end catch
+        } // end if: compress
+
+        // Else, don't compress. Better not to use streams at all then.
+        else {
+            // Convert option to boolean in way that code likes it.
+            boolean breakLines = dontBreakLines == 0;
+
+            int len43 = len * 4 / 3;
+            byte[] outBuff = new byte[(len43) // Main 4:3
+                    + ((len % 3) > 0 ? 4 : 0) // Account for padding
+                    + (breakLines ? (len43 / MAX_LINE_LENGTH) : 0)]; // New lines
+            int d = 0;
+            int e = 0;
+            int len2 = len - 2;
+            int lineLength = 0;
+            for (; d < len2; d += 3, e += 4) {
+                encode3to4(source, d + off, 3, outBuff, e);
+
+                lineLength += 4;
+                if (breakLines && lineLength == MAX_LINE_LENGTH) {
+                    outBuff[e + 4] = NEW_LINE;
+                    e++;
+                    lineLength = 0;
+                } // end if: end of line
+            } // en dfor: each piece of array
+
+            if (d < len) {
+                encode3to4(source, d + off, len - d, outBuff, e);
+                e += 4;
+            } // end if: some padding needed
+
+            // Return value according to relevant encoding.
+            try {
+                return new String(outBuff, 0, e, PREFERRED_ENCODING);
+            } // end try
+            catch (java.io.UnsupportedEncodingException uue) {
+                return new String(outBuff, 0, e);
+            } // end catch
+
+        } // end else: don't compress
+
+    } // end encodeBytes
+
+    /* ******** D E C O D I N G M E T H O D S ******** */
+
+    /**
+     * Decodes four bytes from array <var>source</var> and writes the resulting bytes (up to three of them) to
+     * <var>destination</var>. The source and destination arrays can be manipulated anywhere along their length by specifying
+     * <var>srcOffset</var> and <var>destOffset</var>. This method does not check to make sure your arrays are large enough to
+     * accomodate <var>srcOffset</var> + 4 for the <var>source</var> array or <var>destOffset</var> + 3 for the
+     * <var>destination</var> array. This method returns the actual number of bytes that were converted from the Base64
+     * encoding.
+     *
+     *
+     * @param source the array to convert
+     * @param srcOffset the index where conversion begins
+     * @param destination the array to hold the conversion
+     * @param destOffset the index where output will be put
+     * @return the number of decoded bytes converted
+     * @since 1.3
+     */
+    private static int decode4to3(byte[] source, int srcOffset, byte[] destination, int destOffset) {
+        // Example: Dk==
+        if (source[srcOffset + 2] == EQUALS_SIGN) {
+            // Two ways to do the same thing. Don't know which way I like best.
+            // int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 )
+            // | ( ( DECODABET[ source[ srcOffset + 1] ] << 24 ) >>> 12 );
+            int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18) | ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12);
+
+            destination[destOffset] = (byte) (outBuff >>> 16);
+            return 1;
+        }
+
+        // Example: DkL=
+        else if (source[srcOffset + 3] == EQUALS_SIGN) {
+            // Two ways to do the same thing. Don't know which way I like best.
+            // int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 )
+            // | ( ( DECODABET[ source[ srcOffset + 1 ] ] << 24 ) >>> 12 )
+            // | ( ( DECODABET[ source[ srcOffset + 2 ] ] << 24 ) >>> 18 );
+            int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18) | ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12)
+                    | ((DECODABET[source[srcOffset + 2]] & 0xFF) << 6);
+
+            destination[destOffset] = (byte) (outBuff >>> 16);
+            destination[destOffset + 1] = (byte) (outBuff >>> 8);
+            return 2;
+        }
+
+        // Example: DkLE
+        else {
+            try {
+                // Two ways to do the same thing. Don't know which way I like best.
+                // int outBuff = ( ( DECODABET[ source[ srcOffset ] ] << 24 ) >>> 6 )
+                // | ( ( DECODABET[ source[ srcOffset + 1 ] ] << 24 ) >>> 12 )
+                // | ( ( DECODABET[ source[ srcOffset + 2 ] ] << 24 ) >>> 18 )
+                // | ( ( DECODABET[ source[ srcOffset + 3 ] ] << 24 ) >>> 24 );
+                int outBuff = ((DECODABET[source[srcOffset]] & 0xFF) << 18) | ((DECODABET[source[srcOffset + 1]] & 0xFF) << 12)
+                        | ((DECODABET[source[srcOffset + 2]] & 0xFF) << 6) | ((DECODABET[source[srcOffset + 3]] & 0xFF));
+
+                destination[destOffset] = (byte) (outBuff >> 16);
+                destination[destOffset + 1] = (byte) (outBuff >> 8);
+                destination[destOffset + 2] = (byte) (outBuff);
+
+                return 3;
+            } catch (Exception e) {
+                logger.log(Level.FINE, "" + source[srcOffset] + ": " + (DECODABET[source[srcOffset]]));
+                logger.log(Level.FINE, "" + source[srcOffset + 1] + ": " + (DECODABET[source[srcOffset + 1]]));
+                logger.log(Level.FINE, "" + source[srcOffset + 2] + ": " + (DECODABET[source[srcOffset + 2]]));
+                logger.log(Level.FINE, "" + source[srcOffset + 3] + ": " + (DECODABET[source[srcOffset + 3]]));
+                return -1;
+            } // end catch
+        }
+    } // end decodeToBytes
+
+    /**
+     * Very low-level access to decoding ASCII characters in the form of a byte array. Does not support automatically gunzipping
+     * or any other "fancy" features.
+     *
+     * @param source The Base64 encoded data
+     * @param off The offset of where to begin decoding
+     * @param len The length of characters to decode
+     * @return decoded data
+     * @since 1.3
+     */
+    public static byte[] decode(byte[] source, int off, int len) {
+        int len34 = len * 3 / 4;
+        byte[] outBuff = new byte[len34]; // Upper limit on size of output
+        int outBuffPosn = 0;
+
+        byte[] b4 = new byte[4];
+        int b4Posn = 0;
+        int i = 0;
+        byte sbiCrop = 0;
+        byte sbiDecode = 0;
+        for (i = off; i < off + len; i++) {
+            sbiCrop = (byte) (source[i] & 0x7f); // Only the low seven bits
+            sbiDecode = DECODABET[sbiCrop];
+
+            if (sbiDecode >= WHITE_SPACE_ENC) // White space, Equals sign or better
+            {
+                if (sbiDecode >= EQUALS_SIGN_ENC) {
+                    b4[b4Posn++] = sbiCrop;
+                    if (b4Posn > 3) {
+                        outBuffPosn += decode4to3(b4, 0, outBuff, outBuffPosn);
+                        b4Posn = 0;
+
+                        // If that was the equals sign, break out of 'for' loop
+                        if (sbiCrop == EQUALS_SIGN)
+                            break;
+                    } // end if: quartet built
+
+                } // end if: equals sign or better
+
+            } // end if: white space, equals sign or better
+            else {
+                throw new IllegalStateException("Bad Base64 input character at " + i + ": " + source[i] + "(decimal)");
+            } // end else:
+        } // each input character
+
+        byte[] out = new byte[outBuffPosn];
+        System.arraycopy(outBuff, 0, out, 0, outBuffPosn);
+        return out;
+    } // end decode
+
+    /**
+     * Decodes data from Base64 notation, automatically detecting gzip-compressed data and decompressing it.
+     *
+     * @param s the string to decode
+     * @return the decoded data
+     * @since 1.4
+     */
+    public static byte[] decode(String s) {
+        byte[] bytes;
+        try {
+            bytes = s.getBytes(PREFERRED_ENCODING);
+        } // end try
+        catch (java.io.UnsupportedEncodingException uee) {
+            bytes = s.getBytes();
+        } // end catch
+        // </change>
+
+        // Decode
+        bytes = decode(bytes, 0, bytes.length);
+
+        // Check to see if it's gzip-compressed
+        // GZIP Magic Two-Byte Number: 0x8b1f (35615)
+        if (bytes != null && bytes.length >= 4) {
+
+            int head = (bytes[0] & 0xff) | ((bytes[1] << 8) & 0xff00);
+            if (java.util.zip.GZIPInputStream.GZIP_MAGIC == head) {
+                java.io.ByteArrayInputStream bais = null;
+                java.util.zip.GZIPInputStream gzis = null;
+                java.io.ByteArrayOutputStream baos = null;
+                byte[] buffer = new byte[2048];
+                int length = 0;
+
+                try {
+                    baos = new java.io.ByteArrayOutputStream();
+                    bais = new java.io.ByteArrayInputStream(bytes);
+                    gzis = new java.util.zip.GZIPInputStream(bais);
+
+                    while ((length = gzis.read(buffer)) >= 0) {
+                        baos.write(buffer, 0, length);
+                    } // end while: reading input
+
+                    // No error? Get new bytes.
+                    bytes = baos.toByteArray();
+
+                } // end try
+                catch (java.io.IOException e) {
+                    // Just return originally-decoded bytes
+                } // end catch
+                finally {
+                    try {
+                        baos.close();
+                    } catch (Exception e) {
+                    }
+                    try {
+                        gzis.close();
+                    } catch (Exception e) {
+                    }
+                    try {
+                        bais.close();
+                    } catch (Exception e) {
+                    }
+                } // end finally
+
+            } // end if: gzipped
+        } // end if: bytes.length >= 2
+
+        return bytes;
+    } // end decode
+
+    /**
+     * Attempts to decode Base64 data and deserialize a Java Object within. Returns <tt>null</tt> if there was an error.
+     *
+     * @param encodedObject The Base64 data to decode
+     * @return The decoded and deserialized object
+     * @since 1.5
+     */
+    public static Object decodeToObject(String encodedObject) {
+        // Decode and gunzip if necessary
+        byte[] objBytes = decode(encodedObject);
+
+        java.io.ByteArrayInputStream bais = null;
+        java.io.ObjectInputStream ois = null;
+        Object obj = null;
+
+        try {
+            bais = new java.io.ByteArrayInputStream(objBytes);
+            ois = new java.io.ObjectInputStream(bais);
+
+            obj = ois.readObject();
+        } // end try
+        catch (java.io.IOException e) {
+            e.printStackTrace();
+            obj = null;
+        } // end catch
+        catch (java.lang.ClassNotFoundException e) {
+            e.printStackTrace();
+            obj = null;
+        } // end catch
+        finally {
+            try {
+                bais.close();
+            } catch (Exception e) {
+            }
+            try {
+                ois.close();
+            } catch (Exception e) {
+            }
+        } // end finally
+
+        return obj;
+    } // end decodeObject
+
+    /**
+     * Convenience method for encoding data to a file.
+     *
+     * @param dataToEncode byte array of data to encode in base64 form
+     * @param filename Filename for saving encoded data
+     * @return <tt>true</tt> if successful, <tt>false</tt> otherwise
+     *
+     * @since 2.1
+     */
+    public static boolean encodeToFile(byte[] dataToEncode, String filename) {
+        boolean success = false;
+        Base64.OutputStream bos = null;
+        try {
+            bos = new Base64.OutputStream(new java.io.FileOutputStream(filename), Base64.ENCODE);
+            bos.write(dataToEncode);
+            success = true;
+        } // end try
+        catch (java.io.IOException e) {
+
+            success = false;
+        } // end catch: IOException
+        finally {
+            try {
+                bos.close();
+            } catch (Exception e) {
+            }
+        } // end finally
+
+        return success;
+    } // end encodeToFile
+
+    /**
+     * Convenience method for decoding data to a file.
+     *
+     * @param dataToDecode Base64-encoded data as a string
+     * @param filename Filename for saving decoded data
+     * @return <tt>true</tt> if successful, <tt>false</tt> otherwise
+     *
+     * @since 2.1
+     */
+    public static boolean decodeToFile(String dataToDecode, String filename) {
+        boolean success = false;
+        Base64.OutputStream bos = null;
+        try {
+            bos = new Base64.OutputStream(new java.io.FileOutputStream(filename), Base64.DECODE);
+            bos.write(dataToDecode.getBytes(PREFERRED_ENCODING));
+            success = true;
+        } // end try
+        catch (java.io.IOException e) {
+            success = false;
+        } // end catch: IOException
+        finally {
+            try {
+                bos.close();
+            } catch (Exception e) {
+            }
+        } // end finally
+
+        return success;
+    } // end decodeToFile
+
+    /**
+     * Convenience method for reading a base64-encoded file and decoding it.
+     *
+     * @param filename Filename for reading encoded data
+     * @return decoded byte array or null if unsuccessful
+     *
+     * @since 2.1
+     */
+    public static byte[] decodeFromFile(String filename) {
+        byte[] decodedData = null;
+        Base64.InputStream bis = null;
+        try {
+            // Set up some useful variables
+            java.io.File file = new java.io.File(filename);
+            byte[] buffer = null;
+            int length = 0;
+            int numBytes = 0;
+
+            // Check for size of file
+            if (file.length() > Integer.MAX_VALUE) {
+                throw new IllegalStateException("File is too big for this convenience method (" + file.length() + " bytes).");
+            } // end if: file too big for int index
+            buffer = new byte[(int) file.length()];
+
+            // Open a stream
+            bis = new Base64.InputStream(new java.io.BufferedInputStream(new java.io.FileInputStream(file)), Base64.DECODE);
+
+            // Read until done
+            while ((numBytes = bis.read(buffer, length, 4096)) >= 0)
+                length += numBytes;
+
+            // Save in a variable to return
+            decodedData = new byte[length];
+            System.arraycopy(buffer, 0, decodedData, 0, length);
+
+        } // end try
+        catch (java.io.IOException e) {
+            throw new IllegalStateException("Error decoding from file " + filename);
+        } // end catch: IOException
+        finally {
+            try {
+                bis.close();
+            } catch (Exception e) {
+            }
+        } // end finally
+
+        return decodedData;
+    } // end decodeFromFile
+
+    /**
+     * Convenience method for reading a binary file and base64-encoding it.
+     *
+     * @param filename Filename for reading binary data
+     * @return base64-encoded string or null if unsuccessful
+     *
+     * @since 2.1
+     */
+    public static String encodeFromFile(String filename) {
+        String encodedData = null;
+        Base64.InputStream bis = null;
+        try {
+            // Set up some useful variables
+            java.io.File file = new java.io.File(filename);
+            byte[] buffer = new byte[(int) (file.length() * 1.4)];
+            int length = 0;
+            int numBytes = 0;
+
+            // Open a stream
+            bis = new Base64.InputStream(new java.io.BufferedInputStream(new java.io.FileInputStream(file)), Base64.ENCODE);
+
+            // Read until done
+            while ((numBytes = bis.read(buffer, length, 4096)) >= 0)
+                length += numBytes;
+
+            // Save in a variable to return
+            encodedData = new String(buffer, 0, length, Base64.PREFERRED_ENCODING);
+
+        } // end try
+        catch (java.io.IOException e) {
+            throw new IllegalStateException("Error encoding from file " + filename);
+        } // end catch: IOException
+        finally {
+            try {
+                bis.close();
+            } catch (Exception e) {
+            }
+        } // end finally
+
+        return encodedData;
+    } // end encodeFromFile
+
+    /* ******** I N N E R C L A S S I N P U T S T R E A M ******** */
+
+    /**
+     * A {@link Base64.InputStream} will read data from another <tt>java.io.InputStream</tt>, given in the constructor, and
+     * encode/decode to/from Base64 notation on the fly.
+     *
+     * @see Base64
+     * @since 1.3
+     */
+    public static class InputStream extends java.io.FilterInputStream {
+
+        private boolean encode; // Encoding or decoding
+        private int position; // Current position in the buffer
+        private byte[] buffer; // Small buffer holding converted data
+        private int bufferLength; // Length of buffer (3 or 4)
+        private int numSigBytes; // Number of meaningful bytes in the buffer
+        private int lineLength;
+        private boolean breakLines; // Break lines at less than 80 characters
+
+        /**
+         * Constructs a {@link Base64.InputStream} in DECODE mode.
+         *
+         * @param in the <tt>java.io.InputStream</tt> from which to read data.
+         * @since 1.3
+         */
+        public InputStream(java.io.InputStream in) {
+            this(in, DECODE);
+        } // end constructor
+
+        /**
+         * Constructs a {@link Base64.InputStream} in either ENCODE or DECODE mode.
+         * <p>
+         * Valid options:
+         *
+         * <pre>
+         *   ENCODE or DECODE: Encode or Decode as data is read.
+         *   DONT_BREAK_LINES: don't break lines at 76 characters
+         *     (only meaningful when encoding)
+         *     <i>Note: Technically, this makes your encoding non-compliant.</i>
+         * </pre>
+         * <p>
+         * Example: <code>new Base64.InputStream( in, Base64.DECODE )</code>
+         *
+         *
+         * @param in the <tt>java.io.InputStream</tt> from which to read data.
+         * @param options Specified options
+         * @see Base64#ENCODE
+         * @see Base64#DECODE
+         * @see Base64#DONT_BREAK_LINES
+         * @since 2.0
+         */
+        public InputStream(java.io.InputStream in, int options) {
+            super(in);
+            this.breakLines = (options & DONT_BREAK_LINES) != DONT_BREAK_LINES;
+            this.encode = (options & ENCODE) == ENCODE;
+            this.bufferLength = encode ? 4 : 3;
+            this.buffer = new byte[bufferLength];
+            this.position = -1;
+            this.lineLength = 0;
+        } // end constructor
+
+        /**
+         * Reads enough of the input stream to convert to/from Base64 and returns the next byte.
+         *
+         * @return next byte
+         * @since 1.3
+         */
+        public int read() throws java.io.IOException {
+            // Do we need to get data?
+            if (position < 0) {
+                if (encode) {
+                    byte[] b3 = new byte[3];
+                    int numBinaryBytes = 0;
+                    for (int i = 0; i < 3; i++) {
+                        try {
+                            int b = in.read();
+
+                            // If end of stream, b is -1.
+                            if (b >= 0) {
+                                b3[i] = (byte) b;
+                                numBinaryBytes++;
+                            } // end if: not end of stream
+
+                        } // end try: read
+                        catch (java.io.IOException e) {
+                            // Only a problem if we got no data at all.
+                            if (i == 0)
+                                throw e;
+
+                        } // end catch
+                    } // end for: each needed input byte
+
+                    if (numBinaryBytes > 0) {
+                        encode3to4(b3, 0, numBinaryBytes, buffer, 0);
+                        position = 0;
+                        numSigBytes = 4;
+                    } // end if: got data
+                    else {
+                        return -1;
+                    } // end else
+                } // end if: encoding
+
+                // Else decoding
+                else {
+                    byte[] b4 = new byte[4];
+                    int i = 0;
+                    for (i = 0; i < 4; i++) {
+                        // Read four "meaningful" bytes:
+                        int b = 0;
+                        do {
+                            b = in.read();
+                        } while (b >= 0 && DECODABET[b & 0x7f] <= WHITE_SPACE_ENC);
+
+                        if (b < 0)
+                            break; // Reads a -1 if end of stream
+
+                        b4[i] = (byte) b;
+                    } // end for: each needed input byte
+
+                    if (i == 4) {
+                        numSigBytes = decode4to3(b4, 0, buffer, 0);
+                        position = 0;
+                    } // end if: got four characters
+                    else if (i == 0) {
+                        return -1;
+                    } // end else if: also padded correctly
+                    else {
+                        // Must have broken out from above.
+                        throw new java.io.IOException("Improperly padded Base64 input.");
+                    } // end
+
+                } // end else: decode
+            } // end else: get data
+
+            // Got data?
+            if (position >= 0) {
+                // End of relevant data?
+                if (/* !encode && */position >= numSigBytes)
+                    return -1;
+
+                if (encode && breakLines && lineLength >= MAX_LINE_LENGTH) {
+                    lineLength = 0;
+                    return '\n';
+                } // end if
+                else {
+                    lineLength++; // This isn't important when decoding
+                    // but throwing an extra "if" seems
+                    // just as wasteful.
+
+                    int b = buffer[position++];
+
+                    if (position >= bufferLength)
+                        position = -1;
+
+                    return b & 0xFF; // This is how you "cast" a byte that's
+                    // intended to be unsigned.
+                } // end else
+            } // end if: position >= 0
+
+            // Else error
+            else {
+                // When JDK1.4 is more accepted, use an assertion here.
+                throw new java.io.IOException("Error in Base64 code reading stream.");
+            } // end else
+        } // end read
+
+        /**
+         * Calls {@link #read()} repeatedly until the end of stream is reached or <var>len</var> bytes are read. Returns number
+         * of bytes read into array or -1 if end of stream is encountered.
+         *
+         * @param dest array to hold values
+         * @param off offset for array
+         * @param len max number of bytes to read into array
+         * @return bytes read into array or -1 if end of stream is encountered.
+         * @since 1.3
+         */
+        public int read(byte[] dest, int off, int len) throws java.io.IOException {
+            int i;
+            int b;
+            for (i = 0; i < len; i++) {
+                b = read();
+
+                // if( b < 0 && i == 0 )
+                // return -1;
+
+                if (b >= 0)
+                    dest[off + i] = (byte) b;
+                else if (i == 0)
+                    return -1;
+                else
+                    break; // Out of 'for' loop
+            } // end for: each byte read
+            return i;
+        } // end read
+
+    } // end inner class InputStream
+
+    /* ******** I N N E R C L A S S O U T P U T S T R E A M ******** */
+
+    /**
+     * A {@link Base64.OutputStream} will write data to another <tt>java.io.OutputStream</tt>, given in the constructor, and
+     * encode/decode to/from Base64 notation on the fly.
+     *
+     * @see Base64
+     * @since 1.3
+     */
+    public static class OutputStream extends java.io.FilterOutputStream {
+
+        private boolean encode;
+        private int position;
+        private byte[] buffer;
+        private int bufferLength;
+        private int lineLength;
+        private boolean breakLines;
+        private byte[] b4; // Scratch used in a few places
+        private boolean suspendEncoding;
+
+        /**
+         * Constructs a {@link Base64.OutputStream} in ENCODE mode.
+         *
+         * @param out the <tt>java.io.OutputStream</tt> to which data will be written.
+         * @since 1.3
+         */
+        public OutputStream(java.io.OutputStream out) {
+            this(out, ENCODE);
+        } // end constructor
+
+        /**
+         * Constructs a {@link Base64.OutputStream} in either ENCODE or DECODE mode.
+         * <p>
+         * Valid options:
+         *
+         * <pre>
+         *   ENCODE or DECODE: Encode or Decode as data is read.
+         *   DONT_BREAK_LINES: don't break lines at 76 characters
+         *     (only meaningful when encoding)
+         *     <i>Note: Technically, this makes your encoding non-compliant.</i>
+         * </pre>
+         * <p>
+         * Example: <code>new Base64.OutputStream( out, Base64.ENCODE )</code>
+         *
+         * @param out the <tt>java.io.OutputStream</tt> to which data will be written.
+         * @param options Specified options.
+         * @see Base64#ENCODE
+         * @see Base64#DECODE
+         * @see Base64#DONT_BREAK_LINES
+         * @since 1.3
+         */
+        public OutputStream(java.io.OutputStream out, int options) {
+            super(out);
+            this.breakLines = (options & DONT_BREAK_LINES) != DONT_BREAK_LINES;
+            this.encode = (options & ENCODE) == ENCODE;
+            this.bufferLength = encode ? 3 : 4;
+            this.buffer = new byte[bufferLength];
+            this.position = 0;
+            this.lineLength = 0;
+            this.suspendEncoding = false;
+            this.b4 = new byte[4];
+        } // end constructor
+
+        /**
+         * Writes the byte to the output stream after converting to/from Base64 notation. When encoding, bytes are buffered
+         * three at a time before the output stream actually gets a write() call. When decoding, bytes are buffered four at a
+         * time.
+         *
+         * @param theByte the byte to write
+         * @since 1.3
+         */
+        public void write(int theByte) throws java.io.IOException {
+            // Encoding suspended?
+            if (suspendEncoding) {
+                super.out.write(theByte);
+                return;
+            } // end if: supsended
+
+            // Encode?
+            if (encode) {
+                buffer[position++] = (byte) theByte;
+                if (position >= bufferLength) { // Enough to encode.
+                    out.write(encode3to4(b4, buffer, bufferLength));
+
+                    lineLength += 4;
+                    if (breakLines && lineLength >= MAX_LINE_LENGTH) {
+                        out.write(NEW_LINE);
+                        lineLength = 0;
+                    } // end if: end of line
+
+                    position = 0;
+                } // end if: enough to output
+            } // end if: encoding
+
+            // Else, Decoding
+            else {
+                // Meaningful Base64 character?
+                if (DECODABET[theByte & 0x7f] > WHITE_SPACE_ENC) {
+                    buffer[position++] = (byte) theByte;
+                    if (position >= bufferLength) { // Enough to output.
+                        int len = Base64.decode4to3(buffer, 0, b4, 0);
+                        out.write(b4, 0, len);
+                        // out.write( Base64.decode4to3( buffer ) );
+                        position = 0;
+                    } // end if: enough to output
+                } // end if: meaningful base64 character
+                else if (DECODABET[theByte & 0x7f] != WHITE_SPACE_ENC) {
+                    throw new java.io.IOException("Invalid character in Base64 data.");
+                } // end else: not white space either
+            } // end else: decoding
+        } // end write
+
+        /**
+         * Calls {@link #write(int)} repeatedly until <var>len</var> bytes are written.
+         *
+         * @param theBytes array from which to read bytes
+         * @param off offset for array
+         * @param len max number of bytes to read into array
+         * @since 1.3
+         */
+        public void write(byte[] theBytes, int off, int len) throws java.io.IOException {
+            // Encoding suspended?
+            if (suspendEncoding) {
+                super.out.write(theBytes, off, len);
+                return;
+            } // end if: supsended
+
+            for (int i = 0; i < len; i++) {
+                write(theBytes[off + i]);
+            } // end for: each byte written
+
+        } // end write
+
+        /**
+         * Method added by PHIL. [Thanks, PHIL. -Rob] This pads the buffer without closing the stream.
+         *
+         * @throws IOException
+         */
+        public void flushBase64() throws java.io.IOException {
+            if (position > 0) {
+                if (encode) {
+                    out.write(encode3to4(b4, buffer, position));
+                    position = 0;
+                } // end if: encoding
+                else {
+                    throw new java.io.IOException("Base64 input not properly padded.");
+                } // end else: decoding
+            } // end if: buffer partially full
+
+        } // end flush
+
+        /**
+         * Flushes and closes (I think, in the superclass) the stream.
+         *
+         * @since 1.3
+         */
+        public void close() throws java.io.IOException {
+            // 1. Ensure that pending characters are written
+            flushBase64();
+
+            // 2. Actually close the stream
+            // Base class both flushes and closes.
+            super.close();
+
+            buffer = null;
+            out = null;
+        } // end close
+
+        /**
+         * Suspends encoding of the stream. May be helpful if you need to embed a piece of base640-encoded data in a stream.
+         *
+         * @since 1.5.1
+         * @throws IOException
+         */
+        public void suspendEncoding() throws java.io.IOException {
+            flushBase64();
+            this.suspendEncoding = true;
+        } // end suspendEncoding
+
+        /**
+         * Resumes encoding of the stream. May be helpful if you need to embed a piece of base640-encoded data in a stream.
+         *
+         * @since 1.5.1
+         */
+        public void resumeEncoding() {
+            this.suspendEncoding = false;
+        } // end resumeEncoding
+
+    } // end inner class OutputStream
+
+} // end class Base64
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/util/DocumentUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/DocumentUtil.java
new file mode 100755
index 0000000000..509c8999e0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/DocumentUtil.java
@@ -0,0 +1,544 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.w3c.dom.DOMConfiguration;
+import org.w3c.dom.DOMException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+
+import javax.xml.namespace.QName;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.Result;
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.dom.DOMResult;
+import javax.xml.transform.dom.DOMSource;
+import javax.xml.transform.stream.StreamResult;
+import javax.xml.xpath.XPathException;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.io.StringReader;
+import java.io.StringWriter;
+
+/**
+ * Utility dealing with DOM
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 14, 2009
+ */
+public class DocumentUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private static DocumentBuilderFactory documentBuilderFactory;
+
+    public static final String feature_external_general_entities = "http://xml.org/sax/features/external-general-entities";
+    public static final String feature_external_parameter_entities = "http://xml.org/sax/features/external-parameter-entities";
+    public static final String feature_disallow_doctype_decl = "http://apache.org/xml/features/disallow-doctype-decl";
+
+    /**
+     * Check whether a node belongs to a document
+     *
+     * @param doc
+     * @param node
+     *
+     * @return
+     */
+    public static boolean containsNode(Document doc, Node node) {
+        if (node.getNodeType() == Node.ELEMENT_NODE) {
+            Element elem = (Element) node;
+            NodeList nl = doc.getElementsByTagNameNS(elem.getNamespaceURI(), elem.getLocalName());
+            if (nl != null && nl.getLength() > 0)
+                return true;
+            else
+                return false;
+        }
+        throw new UnsupportedOperationException();
+    }
+
+    /**
+     * Create a new document
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     */
+    public static Document createDocument() throws ConfigurationException {
+        DocumentBuilderFactory factory = getDocumentBuilderFactory();
+        DocumentBuilder builder;
+        try {
+            builder = factory.newDocumentBuilder();
+        } catch (ParserConfigurationException e) {
+            throw new ConfigurationException(e);
+        }
+        return builder.newDocument();
+    }
+
+    /**
+     * Create a document with the root element of the form &lt;someElement xmlns="customNamespace"
+     *
+     * @param baseNamespace
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public static Document createDocumentWithBaseNamespace(String baseNamespace, String localPart) throws ProcessingException {
+        try {
+            DocumentBuilderFactory factory = getDocumentBuilderFactory();
+            DocumentBuilder builder = factory.newDocumentBuilder();
+            return builder.getDOMImplementation().createDocument(baseNamespace, localPart, null);
+        } catch (DOMException e) {
+            throw logger.processingError(e);
+        } catch (ParserConfigurationException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Parse a document from the string
+     *
+     * @param docString
+     *
+     * @return
+     *
+     * @throws IOException
+     * @throws SAXException
+     * @throws ParserConfigurationException
+     */
+    public static Document getDocument(String docString) throws ConfigurationException, ParsingException, ProcessingException {
+        return getDocument(new StringReader(docString));
+    }
+
+    /**
+     * Parse a document from a reader
+     *
+     * @param reader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     * @throws ParserConfigurationException
+     * @throws IOException
+     * @throws SAXException
+     */
+    public static Document getDocument(Reader reader) throws ConfigurationException, ProcessingException, ParsingException {
+        try {
+            DocumentBuilderFactory factory = getDocumentBuilderFactory();
+            DocumentBuilder builder = factory.newDocumentBuilder();
+            return builder.parse(new InputSource(reader));
+        } catch (ParserConfigurationException e) {
+            throw logger.configurationError(e);
+        } catch (SAXException e) {
+            throw logger.parserError(e);
+        } catch (IOException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Get Document from a file
+     *
+     * @param file
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     * @throws IOException
+     * @throws SAXException
+     */
+    public static Document getDocument(File file) throws ConfigurationException, ProcessingException, ParsingException {
+        DocumentBuilderFactory factory = getDocumentBuilderFactory();
+        try {
+            DocumentBuilder builder = factory.newDocumentBuilder();
+            return builder.parse(file);
+        } catch (ParserConfigurationException e) {
+            throw logger.configurationError(e);
+        } catch (SAXException e) {
+            throw logger.parserError(e);
+        } catch (IOException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Get Document from an inputstream
+     *
+     * @param is
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     * @throws IOException
+     * @throws SAXException
+     */
+    public static Document getDocument(InputStream is) throws ConfigurationException, ProcessingException, ParsingException {
+        DocumentBuilderFactory factory = getDocumentBuilderFactory();
+        try {
+            DocumentBuilder builder = factory.newDocumentBuilder();
+            return builder.parse(is);
+        } catch (ParserConfigurationException e) {
+            throw logger.configurationError(e);
+        } catch (SAXException e) {
+            throw logger.parserError(e);
+        } catch (IOException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Marshall a document into a String
+     *
+     * @param signedDoc
+     *
+     * @return
+     *
+     * @throws TransformerFactoryConfigurationError
+     * @throws TransformerException
+     */
+    public static String getDocumentAsString(Document signedDoc) throws ProcessingException, ConfigurationException {
+        Source source = new DOMSource(signedDoc);
+        StringWriter sw = new StringWriter();
+
+        Result streamResult = new StreamResult(sw);
+        // Write the DOM document to the stream
+        Transformer xformer = TransformerUtil.getTransformer();
+        try {
+            xformer.transform(source, streamResult);
+        } catch (TransformerException e) {
+            throw logger.processingError(e);
+        }
+
+        return sw.toString();
+    }
+
+    /**
+     * Marshall a DOM Element as string
+     *
+     * @param element
+     *
+     * @return
+     *
+     * @throws TransformerFactoryConfigurationError
+     * @throws TransformerException
+     */
+    public static String getDOMElementAsString(Element element) throws ProcessingException, ConfigurationException {
+        Source source = new DOMSource(element);
+        StringWriter sw = new StringWriter();
+
+        Result streamResult = new StreamResult(sw);
+        // Write the DOM document to the file
+        Transformer xformer = TransformerUtil.getTransformer();
+        try {
+            xformer.transform(source, streamResult);
+        } catch (TransformerException e) {
+            throw logger.processingError(e);
+        }
+
+        return sw.toString();
+    }
+
+    /**
+     * <p> Get an element from the document given its {@link QName} </p> <p> First an attempt to get the element based
+     * on its namespace is made, failing which an element with the localpart ignoring any namespace is returned. </p>
+     *
+     * @param doc
+     * @param elementQName
+     *
+     * @return
+     */
+    public static Element getElement(Document doc, QName elementQName) {
+        NodeList nl = doc.getElementsByTagNameNS(elementQName.getNamespaceURI(), elementQName.getLocalPart());
+        if (nl.getLength() == 0) {
+            nl = doc.getElementsByTagNameNS("*", elementQName.getLocalPart());
+            if (nl.getLength() == 0)
+                nl = doc.getElementsByTagName(elementQName.getPrefix() + ":" + elementQName.getLocalPart());
+            if (nl.getLength() == 0)
+                return null;
+        }
+        return (Element) nl.item(0);
+    }
+
+    /**
+     * <p> Get an child element from the parent element given its {@link QName} </p> <p> First an attempt to get the
+     * element based on its namespace is made, failing which an element with the localpart ignoring any namespace is
+     * returned. </p>
+     *
+     * @param doc
+     * @param elementQName
+     *
+     * @return
+     */
+    public static Element getChildElement(Element doc, QName elementQName) {
+        NodeList nl = doc.getElementsByTagNameNS(elementQName.getNamespaceURI(), elementQName.getLocalPart());
+        if (nl.getLength() == 0) {
+            nl = doc.getElementsByTagNameNS("*", elementQName.getLocalPart());
+            if (nl.getLength() == 0)
+                nl = doc.getElementsByTagName(elementQName.getPrefix() + ":" + elementQName.getLocalPart());
+            if (nl.getLength() == 0)
+                return null;
+        }
+        return (Element) nl.item(0);
+    }
+
+    /**
+     * Stream a DOM Node as an input stream
+     *
+     * @param node
+     *
+     * @return
+     *
+     * @throws TransformerFactoryConfigurationError
+     * @throws TransformerException
+     */
+    public static InputStream getNodeAsStream(Node node) throws ConfigurationException, ProcessingException {
+        return getSourceAsStream(new DOMSource(node));
+    }
+
+    /**
+     * Get the {@link Source} as an {@link InputStream}
+     *
+     * @param source
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     * @throws ProcessingException
+     */
+    public static InputStream getSourceAsStream(Source source) throws ConfigurationException, ProcessingException {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        Result streamResult = new StreamResult(baos);
+        // Write the DOM document to the stream
+        Transformer transformer = TransformerUtil.getTransformer();
+        try {
+            transformer.transform(source, streamResult);
+        } catch (TransformerException e) {
+            throw logger.processingError(e);
+        }
+
+        return new ByteArrayInputStream(baos.toByteArray());
+    }
+
+    /**
+     * Stream a DOM Node as a String
+     *
+     * @param node
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     * @throws TransformerFactoryConfigurationError
+     * @throws TransformerException
+     */
+    public static String getNodeAsString(Node node) throws ConfigurationException, ProcessingException {
+        Source source = new DOMSource(node);
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+        Result streamResult = new StreamResult(baos);
+        // Write the DOM document to the stream
+        Transformer transformer = TransformerUtil.getTransformer();
+        try {
+            transformer.transform(source, streamResult);
+        } catch (TransformerException e) {
+            throw logger.processingError(e);
+        }
+
+        return new String(baos.toByteArray());
+    }
+
+    /**
+     * Given a document, return a Node with the given node name and an attribute with a particular attribute value
+     *
+     * @param document
+     * @param nsURI
+     * @param nodeName
+     * @param attributeName
+     * @param attributeValue
+     *
+     * @return
+     *
+     * @throws XPathException
+     * @throws TransformerFactoryConfigurationError
+     * @throws TransformerException
+     */
+    public static Node getNodeWithAttribute(Document document, final String nsURI, String nodeName, String attributeName,
+                                            String attributeValue) throws XPathException, TransformerFactoryConfigurationError, TransformerException {
+        NodeList nl = document.getElementsByTagNameNS(nsURI, nodeName);
+        int len = nl != null ? nl.getLength() : 0;
+
+        for (int i = 0; i < len; i++) {
+            Node n = nl.item(i);
+            if (n.getNodeType() != Node.ELEMENT_NODE)
+                continue;
+            Element el = (Element) n;
+            String attrValue = el.getAttributeNS(nsURI, attributeName);
+            if (attributeValue.equals(attrValue))
+                return el;
+            // Take care of attributes with null NS
+            attrValue = el.getAttribute(attributeName);
+            if (attributeValue.equals(attrValue))
+                return el;
+        }
+        return null;
+    }
+
+    /**
+     * DOM3 method: Normalize the document with namespaces
+     *
+     * @param doc
+     *
+     * @return
+     */
+    public static Document normalizeNamespaces(Document doc) {
+        DOMConfiguration docConfig = doc.getDomConfig();
+        docConfig.setParameter("namespaces", Boolean.TRUE);
+        doc.normalizeDocument();
+        return doc;
+    }
+
+    /**
+     * Get a {@link Source} given a {@link Document}
+     *
+     * @param doc
+     *
+     * @return
+     */
+    public static Source getXMLSource(Document doc) {
+        return new DOMSource(doc);
+    }
+
+    /**
+     * Get the document as a string while ignoring any exceptions
+     *
+     * @param doc
+     *
+     * @return
+     */
+    public static String asString(Document doc) {
+        String str = null;
+
+        try {
+            str = getDocumentAsString(doc);
+        } catch (Exception ignore) {
+        }
+        return str;
+    }
+
+    /**
+     * Log the nodes in the document
+     *
+     * @param doc
+     */
+    public static void logNodes(Document doc) {
+        visit(doc, 0);
+    }
+
+    public static Node getNodeFromSource(Source source) throws ProcessingException, ConfigurationException {
+        try {
+            Transformer transformer = TransformerUtil.getTransformer();
+            DOMResult result = new DOMResult();
+            TransformerUtil.transform(transformer, source, result);
+            return result.getNode();
+        } catch (ParsingException te) {
+            throw logger.processingError(te);
+        }
+    }
+
+    public static Document getDocumentFromSource(Source source) throws ProcessingException, ConfigurationException {
+        try {
+            Transformer transformer = TransformerUtil.getTransformer();
+            DOMResult result = new DOMResult();
+            TransformerUtil.transform(transformer, source, result);
+            return (Document) result.getNode();
+        } catch (ParsingException te) {
+            throw logger.processingError(te);
+        }
+    }
+
+    private static void visit(Node node, int level) {
+        // Visit each child
+        NodeList list = node.getChildNodes();
+        for (int i = 0; i < list.getLength(); i++) {
+            // Get child node
+            Node childNode = list.item(i);
+
+            logger.trace("Node=" + childNode.getNamespaceURI() + "::" + childNode.getLocalName());
+
+            // Visit child node
+            visit(childNode, level + 1);
+        }
+    }
+
+    /**
+     * <p> Creates a namespace aware {@link DocumentBuilderFactory}. The returned instance is cached and shared between
+     * different threads. </p>
+     *
+     * @return
+     */
+    private static DocumentBuilderFactory getDocumentBuilderFactory() {
+        boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
+                .equalsIgnoreCase("true");
+        ClassLoader prevTCCL = SecurityActions.getTCCL();
+        if (documentBuilderFactory == null) {
+            try {
+                if (tccl_jaxp) {
+                    SecurityActions.setTCCL(DocumentUtil.class.getClassLoader());
+                }
+                documentBuilderFactory = DocumentBuilderFactory.newInstance();
+                documentBuilderFactory.setNamespaceAware(true);
+                documentBuilderFactory.setXIncludeAware(true);
+                String feature = "";
+                try {
+                    feature = feature_disallow_doctype_decl;
+                    documentBuilderFactory.setFeature(feature, true);
+                    feature = feature_external_general_entities;
+                    documentBuilderFactory.setFeature(feature, false);
+                    feature = feature_external_parameter_entities;
+                    documentBuilderFactory.setFeature(feature, false);
+                } catch (ParserConfigurationException e) {
+                    throw logger.parserFeatureNotSupported(feature);
+                }
+            } finally {
+                if (tccl_jaxp) {
+                    SecurityActions.setTCCL(prevTCCL);
+                }
+            }
+        }
+
+        return documentBuilderFactory;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/util/PBEUtils.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/PBEUtils.java
new file mode 100755
index 0000000000..04af3a4623
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/PBEUtils.java
@@ -0,0 +1,85 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.util;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
+import java.io.UnsupportedEncodingException;
+import java.security.GeneralSecurityException;
+
+/**
+ * Utility dealing with Password Based Encryption (Code is ripped off of the PBEUtils class in JBossSecurity/PicketBox)
+ *
+ * @author Scott.Stark@jboss.org
+ * @author Anil.Saldhana@redhat.com
+ * @since May 25, 2010
+ */
+public class PBEUtils {
+    public static byte[] encode(byte[] secret, String cipherAlgorithm, SecretKey cipherKey, PBEParameterSpec cipherSpec)
+            throws Exception {
+        Cipher cipher = Cipher.getInstance(cipherAlgorithm);
+        cipher.init(Cipher.ENCRYPT_MODE, cipherKey, cipherSpec);
+        byte[] encoding = cipher.doFinal(secret);
+        return encoding;
+    }
+
+    public static String encode64(byte[] secret, String cipherAlgorithm, SecretKey cipherKey, PBEParameterSpec cipherSpec)
+            throws Exception {
+        byte[] encoding = encode(secret, cipherAlgorithm, cipherKey, cipherSpec);
+        String b64 = Base64.encodeBytes(encoding);
+        return b64;
+    }
+
+    public static byte[] decode(byte[] secret, String cipherAlgorithm, SecretKey cipherKey, PBEParameterSpec cipherSpec)
+            throws GeneralSecurityException {
+        Cipher cipher = Cipher.getInstance(cipherAlgorithm);
+        cipher.init(Cipher.DECRYPT_MODE, cipherKey, cipherSpec);
+        byte[] decode = cipher.doFinal(secret);
+        return decode;
+    }
+
+    public static String decode64(String secret, String cipherAlgorithm, SecretKey cipherKey, PBEParameterSpec cipherSpec)
+            throws GeneralSecurityException, UnsupportedEncodingException {
+        byte[] encoding = Base64.decode(secret);
+        byte[] decode = decode(encoding, cipherAlgorithm, cipherKey, cipherSpec);
+        return new String(decode, "UTF-8");
+    }
+
+    public static void main(String[] args) throws Exception {
+        if (args.length != 3) {
+            System.err.println("Encrypt a password" + "Usage: PBEUtils salt count domain-password password"
+                    + " salt : the Salt " + " count : the IterationCount "
+                    + " password : the plaintext password that should be encrypted");
+            throw new RuntimeException(" ERROR: please see format above");
+        }
+
+        byte[] salt = args[0].substring(0, 8).getBytes();
+        int count = Integer.parseInt(args[1]);
+        char[] password = "somearbitrarycrazystringthatdoesnotmatter".toCharArray();
+        byte[] passwordToEncode = args[2].getBytes("UTF-8");
+        PBEParameterSpec cipherSpec = new PBEParameterSpec(salt, count);
+        PBEKeySpec keySpec = new PBEKeySpec(password);
+        SecretKeyFactory factory = SecretKeyFactory.getInstance("PBEwithMD5andDES");
+        SecretKey cipherKey = factory.generateSecret(keySpec);
+        String encodedPassword = encode64(passwordToEncode, "PBEwithMD5andDES", cipherKey, cipherSpec);
+        System.err.println("Encoded password: MASK-" + encodedPassword);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/util/SecurityActions.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/SecurityActions.java
new file mode 100755
index 0000000000..24bd70b021
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/SecurityActions.java
@@ -0,0 +1,221 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.util;
+
+import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Privileged Blocks
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 9, 2008
+ */
+class SecurityActions {
+
+    /**
+     * <p> Loads a {@link Class} using the <code>fullQualifiedName</code> supplied. This method tries first to load from
+     * the specified {@link Class}, if not found it will try to load from using TCL. </p>
+     *
+     * @param theClass
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final Class<?> theClass, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    ClassLoader classLoader = theClass.getClassLoader();
+
+                    Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+                    if (clazz == null) {
+                        classLoader = Thread.currentThread().getContextClassLoader();
+                        clazz = loadClass(classLoader, fullQualifiedName);
+                    }
+                    return clazz;
+                }
+            });
+        } else {
+            ClassLoader classLoader = theClass.getClassLoader();
+
+            Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+            if (clazz == null) {
+                classLoader = Thread.currentThread().getContextClassLoader();
+                clazz = loadClass(classLoader, fullQualifiedName);
+            }
+            return clazz;
+        }
+    }
+
+    /**
+     * <p> Loads a class from the specified {@link ClassLoader} using the <code>fullQualifiedName</code> supplied. </p>
+     *
+     * @param classLoader
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final ClassLoader classLoader, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    try {
+                        return classLoader.loadClass(fullQualifiedName);
+                    } catch (ClassNotFoundException e) {
+                    }
+                    return null;
+                }
+            });
+        } else {
+            try {
+                return classLoader.loadClass(fullQualifiedName);
+            } catch (ClassNotFoundException e) {
+            }
+            return null;
+        }
+    }
+
+    /**
+     * Load a resource based on the passed {@link Class} classloader. Failing which try with the Thread Context CL
+     *
+     * @param clazz
+     * @param resourceName
+     *
+     * @return
+     */
+    static URL loadResource(final Class<?> clazz, final String resourceName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<URL>() {
+                public URL run() {
+                    URL url = null;
+                    ClassLoader clazzLoader = clazz.getClassLoader();
+                    url = clazzLoader.getResource(resourceName);
+
+                    if (url == null) {
+                        clazzLoader = Thread.currentThread().getContextClassLoader();
+                        url = clazzLoader.getResource(resourceName);
+                    }
+
+                    return url;
+                }
+            });
+        } else {
+            URL url = null;
+            ClassLoader clazzLoader = clazz.getClassLoader();
+            url = clazzLoader.getResource(resourceName);
+
+            if (url == null) {
+                clazzLoader = Thread.currentThread().getContextClassLoader();
+                url = clazzLoader.getResource(resourceName);
+            }
+
+            return url;
+        }
+    }
+
+    /**
+     * Set the system property
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static void setSystemProperty(final String key, final String value) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            AccessController.doPrivileged(new PrivilegedAction<Object>() {
+                public Object run() {
+                    System.setProperty(key, value);
+                    return null;
+                }
+            });
+        } else {
+            System.setProperty(key, value);
+        }
+    }
+
+    /**
+     * <p>Returns a system property value using the specified <code>key</code>. If not found the
+     * <code>defaultValue</code> will be returned.</p>
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static String getSystemProperty(final String key, final String defaultValue) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<String>() {
+                public String run() {
+                    return System.getProperty(key, defaultValue);
+                }
+            });
+        } else {
+            return System.getProperty(key, defaultValue);
+        }
+    }
+
+    /**
+     * Get the Thread Context ClassLoader
+     *
+     * @return
+     */
+    static ClassLoader getTCCL() {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        } else {
+            return Thread.currentThread().getContextClassLoader();
+        }
+    }
+
+    /**
+     * Set the Thread Context ClassLoader
+     *
+     * @param paramCl
+     */
+    static void setTCCL(final ClassLoader paramCl) {
+        if (System.getSecurityManager() != null) {
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    Thread.currentThread().setContextClassLoader(paramCl);
+                    return null;
+                }
+            });
+        } else {
+
+            Thread.currentThread().setContextClassLoader(paramCl);
+        }
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/util/StaxParserUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/StaxParserUtil.java
new file mode 100755
index 0000000000..fb32feff85
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/StaxParserUtil.java
@@ -0,0 +1,469 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.ErrorCodes;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.Location;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.dom.DOMResult;
+import javax.xml.transform.stax.StAXSource;
+import javax.xml.validation.Validator;
+import java.io.InputStream;
+
+/**
+ * Utility for the stax based parser
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Feb 8, 2010
+ */
+public class StaxParserUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    protected static Validator validator = null;
+
+    /**
+     * Bypass an entire XML element block from startElement to endElement
+     *
+     * @param xmlEventReader
+     * @param tag Tag of the XML element that we need to bypass
+     *
+     * @throws org.keycloak.saml.common.exceptions.ParsingException
+     */
+    public static void bypassElementBlock(XMLEventReader xmlEventReader, String tag) throws ParsingException {
+        while (xmlEventReader.hasNext()) {
+            EndElement endElement = getNextEndElement(xmlEventReader);
+            if (endElement == null)
+                return;
+
+            if (StaxParserUtil.matches(endElement, tag))
+                return;
+        }
+    }
+
+    /**
+     * Given an {@code Attribute}, get its trimmed value
+     *
+     * @param attribute
+     *
+     * @return
+     */
+    public static String getAttributeValue(Attribute attribute) {
+        String str = trim(attribute.getValue());
+        str = StringUtil.getSystemPropertyAsString(str);
+        return str;
+    }
+
+    /**
+     * Get the Attribute value
+     *
+     * @param startElement
+     * @param tag localpart of the qname of the attribute
+     *
+     * @return
+     */
+    public static String getAttributeValue(StartElement startElement, String tag) {
+        String result = null;
+        Attribute attr = startElement.getAttributeByName(new QName(tag));
+        if (attr != null)
+            result = getAttributeValue(attr);
+        return result;
+    }
+
+    /**
+     * Given that the {@code XMLEventReader} is in {@code XMLStreamConstants.START_ELEMENT} mode, we parse into a DOM
+     * Element
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static Element getDOMElement(XMLEventReader xmlEventReader) throws ParsingException {
+        Transformer transformer = null;
+
+        final String JDK_TRANSFORMER_PROPERTY = "picketlink.jdk.transformer";
+
+        boolean useJDKTransformer = Boolean.parseBoolean(SecurityActions.getSystemProperty(JDK_TRANSFORMER_PROPERTY, "false"));
+
+        try {
+            if (useJDKTransformer) {
+                transformer = TransformerUtil.getTransformer();
+            } else {
+                transformer = TransformerUtil.getStaxSourceToDomResultTransformer();
+            }
+
+            Document resultDocument = DocumentUtil.createDocument();
+            DOMResult domResult = new DOMResult(resultDocument);
+
+            Source source = new StAXSource(xmlEventReader);
+
+            TransformerUtil.transform(transformer, source, domResult);
+
+            Document doc = (Document) domResult.getNode();
+            return doc.getDocumentElement();
+        } catch (ConfigurationException e) {
+            throw logger.parserException(e);
+        } catch (XMLStreamException e) {
+            throw logger.parserException(e);
+        }
+    }
+
+    /**
+     * Get the element text.
+     *
+     * @param xmlEventReader
+     *
+     * @return A <b>trimmed</b> string value
+     *
+     * @throws ParsingException
+     */
+    public static String getElementText(XMLEventReader xmlEventReader) throws ParsingException {
+        String str = null;
+        try {
+            str = xmlEventReader.getElementText().trim();
+            str = StringUtil.getSystemPropertyAsString(str);
+        } catch (XMLStreamException e) {
+            throw logger.parserException(e);
+        }
+        return str;
+    }
+
+    /**
+     * Get the XML event reader
+     *
+     * @param is
+     *
+     * @return
+     */
+    public static XMLEventReader getXMLEventReader(InputStream is) {
+        XMLInputFactory xmlInputFactory = null;
+        XMLEventReader xmlEventReader = null;
+        try {
+            xmlInputFactory = getXMLInputFactory();
+            xmlInputFactory.setProperty(XMLInputFactory.IS_REPLACING_ENTITY_REFERENCES, Boolean.TRUE);
+            xmlInputFactory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, Boolean.FALSE);
+            xmlInputFactory.setProperty(XMLInputFactory.IS_NAMESPACE_AWARE, Boolean.TRUE);
+            xmlInputFactory.setProperty(XMLInputFactory.IS_COALESCING, Boolean.TRUE);
+
+            xmlEventReader = xmlInputFactory.createXMLEventReader(is);
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+        return xmlEventReader;
+    }
+
+    /**
+     * Given a {@code Location}, return a formatted string [lineNum,colNum]
+     *
+     * @param location
+     *
+     * @return
+     */
+    public static String getLineColumnNumber(Location location) {
+        StringBuilder builder = new StringBuilder("[");
+        builder.append(location.getLineNumber()).append(",").append(location.getColumnNumber()).append("]");
+        return builder.toString();
+    }
+
+    /**
+     * Get the next xml event
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static XMLEvent getNextEvent(XMLEventReader xmlEventReader) throws ParsingException {
+        try {
+            return xmlEventReader.nextEvent();
+        } catch (XMLStreamException e) {
+            throw logger.parserException(e);
+        }
+    }
+
+    /**
+     * Get the next {@code StartElement }
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static StartElement getNextStartElement(XMLEventReader xmlEventReader) throws ParsingException {
+        try {
+            while (xmlEventReader.hasNext()) {
+                XMLEvent xmlEvent = xmlEventReader.nextEvent();
+
+                if (xmlEvent == null || xmlEvent.isStartElement())
+                    return (StartElement) xmlEvent;
+            }
+        } catch (XMLStreamException e) {
+            throw logger.parserException(e);
+        }
+        return null;
+    }
+
+    /**
+     * Get the next {@code EndElement}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static EndElement getNextEndElement(XMLEventReader xmlEventReader) throws ParsingException {
+        try {
+            while (xmlEventReader.hasNext()) {
+                XMLEvent xmlEvent = xmlEventReader.nextEvent();
+
+                if (xmlEvent == null || xmlEvent.isEndElement())
+                    return (EndElement) xmlEvent;
+            }
+        } catch (XMLStreamException e) {
+            throw logger.parserException(e);
+        }
+        return null;
+    }
+
+    /**
+     * Return the name of the start element
+     *
+     * @param startElement
+     *
+     * @return
+     */
+    public static String getStartElementName(StartElement startElement) {
+        return trim(startElement.getName().getLocalPart());
+    }
+
+    /**
+     * Return the name of the end element
+     *
+     * @param endElement
+     *
+     * @return
+     */
+    public static String getEndElementName(EndElement endElement) {
+        return trim(endElement.getName().getLocalPart());
+    }
+
+    /**
+     * Given a start element, obtain the xsi:type defined
+     *
+     * @param startElement
+     *
+     * @return
+     *
+     * @throws RuntimeException if xsi:type is missing
+     */
+    public static String getXSITypeValue(StartElement startElement) {
+        Attribute xsiType = startElement.getAttributeByName(new QName(JBossSAMLURIConstants.XSI_NSURI.get(),
+                JBossSAMLConstants.TYPE.get()));
+        if (xsiType == null)
+            throw logger.parserExpectedXSI(ErrorCodes.EXPECTED_XSI);
+        return StaxParserUtil.getAttributeValue(xsiType);
+    }
+
+    /**
+     * Return whether the next event is going to be text
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static boolean hasTextAhead(XMLEventReader xmlEventReader) throws ParsingException {
+        XMLEvent event = peek(xmlEventReader);
+        return event.getEventType() == XMLEvent.CHARACTERS;
+    }
+
+    /**
+     * Match that the start element with the expected tag
+     *
+     * @param startElement
+     * @param tag
+     *
+     * @return boolean if the tags match
+     */
+    public static boolean matches(StartElement startElement, String tag) {
+        String elementTag = getStartElementName(startElement);
+        return tag.equals(elementTag);
+    }
+
+    /**
+     * Match that the end element with the expected tag
+     *
+     * @param endElement
+     * @param tag
+     *
+     * @return boolean if the tags match
+     */
+    public static boolean matches(EndElement endElement, String tag) {
+        String elementTag = getEndElementName(endElement);
+        return tag.equals(elementTag);
+    }
+
+    /**
+     * Peek at the next event
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static XMLEvent peek(XMLEventReader xmlEventReader) throws ParsingException {
+        try {
+            return xmlEventReader.peek();
+        } catch (XMLStreamException e) {
+            throw logger.parserException(e);
+        }
+    }
+
+    /**
+     * Peek the next {@code StartElement }
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static StartElement peekNextStartElement(XMLEventReader xmlEventReader) throws ParsingException {
+        try {
+            while (true) {
+                XMLEvent xmlEvent = xmlEventReader.peek();
+
+                if (xmlEvent == null || xmlEvent.isStartElement())
+                    return (StartElement) xmlEvent;
+                else
+                    xmlEvent = xmlEventReader.nextEvent();
+            }
+        } catch (XMLStreamException e) {
+            throw logger.parserException(e);
+        }
+    }
+
+    /**
+     * Peek the next {@code EndElement}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static EndElement peekNextEndElement(XMLEventReader xmlEventReader) throws ParsingException {
+        try {
+            while (true) {
+                XMLEvent xmlEvent = xmlEventReader.peek();
+
+                if (xmlEvent == null || xmlEvent.isEndElement())
+                    return (EndElement) xmlEvent;
+                else
+                    xmlEvent = xmlEventReader.nextEvent();
+            }
+        } catch (XMLStreamException e) {
+            throw logger.parserException(e);
+        }
+    }
+
+    /**
+     * Given a string, trim it
+     *
+     * @param str
+     *
+     * @return
+     *
+     * @throws {@code IllegalArgumentException} if the passed str is null
+     */
+    public static final String trim(String str) {
+        if (str == null)
+            throw logger.nullArgumentError("String to trim");
+        return str.trim();
+    }
+
+    /**
+     * Validate that the start element has the expected tag
+     *
+     * @param startElement
+     * @param tag
+     *
+     * @throws RuntimeException mismatch
+     */
+    public static void validate(StartElement startElement, String tag) {
+        String foundElementTag = getStartElementName(startElement);
+        if (!tag.equals(foundElementTag))
+            throw logger.parserExpectedTag(tag, foundElementTag);
+    }
+
+    /**
+     * Validate that the end element has the expected tag
+     *
+     * @param endElement
+     * @param tag
+     *
+     * @throws RuntimeException mismatch
+     */
+    public static void validate(EndElement endElement, String tag) {
+        String elementTag = getEndElementName(endElement);
+        if (!tag.equals(elementTag))
+            throw new RuntimeException(logger.parserExpectedEndTag("</" + tag + ">.  Found </" + elementTag + ">"));
+    }
+
+    private static XMLInputFactory getXMLInputFactory() {
+        boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
+                .equalsIgnoreCase("true");
+        ClassLoader prevTCCL = SecurityActions.getTCCL();
+        try {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(StaxParserUtil.class.getClassLoader());
+            }
+            return XMLInputFactory.newInstance();
+        } finally {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(prevTCCL);
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/util/StaxUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/StaxUtil.java
new file mode 100755
index 0000000000..be4ef43dd5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/StaxUtil.java
@@ -0,0 +1,447 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.w3c.dom.Attr;
+import org.w3c.dom.DOMException;
+import org.w3c.dom.Element;
+import org.w3c.dom.NamedNodeMap;
+import org.w3c.dom.Node;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventWriter;
+import javax.xml.stream.XMLOutputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.XMLStreamWriter;
+import javax.xml.transform.Result;
+import java.io.OutputStream;
+import java.io.Writer;
+import java.util.Stack;
+
+/**
+ * Utility class that deals with StAX
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 19, 2010
+ */
+public class StaxUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private static ThreadLocal<Stack<String>> registeredNSStack = new ThreadLocal<Stack<String>>();
+
+    /**
+     * Flush the stream writer
+     *
+     * @param writer
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public static void flush(XMLStreamWriter writer) throws ProcessingException {
+        try {
+            writer.flush();
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Get an {@code XMLEventWriter}
+     *
+     * @param outStream
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public static XMLEventWriter getXMLEventWriter(final OutputStream outStream) throws ProcessingException {
+        XMLOutputFactory xmlOutputFactory = getXMLOutputFactory();
+        try {
+            return xmlOutputFactory.createXMLEventWriter(outStream, "UTF-8");
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Get an {@code XMLStreamWriter}
+     *
+     * @param outStream
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public static XMLStreamWriter getXMLStreamWriter(final OutputStream outStream) throws ProcessingException {
+        XMLOutputFactory xmlOutputFactory = getXMLOutputFactory();
+        try {
+            return xmlOutputFactory.createXMLStreamWriter(outStream, "UTF-8");
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Get an {@code XMLStreamWriter}
+     *
+     * @param writer {@code Writer}
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public static XMLStreamWriter getXMLStreamWriter(final Writer writer) throws ProcessingException {
+        XMLOutputFactory xmlOutputFactory = getXMLOutputFactory();
+        try {
+            return xmlOutputFactory.createXMLStreamWriter(writer);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    public static XMLStreamWriter getXMLStreamWriter(final Result result) throws ProcessingException {
+        XMLOutputFactory factory = getXMLOutputFactory();
+        try {
+            return factory.createXMLStreamWriter(result);
+        } catch (XMLStreamException xe) {
+            throw logger.processingError(xe);
+        }
+    }
+
+    /**
+     * Set a prefix
+     *
+     * @param writer
+     * @param prefix
+     * @param nsURI
+     *
+     * @throws ProcessingException
+     */
+    public static void setPrefix(XMLStreamWriter writer, String prefix, String nsURI) throws ProcessingException {
+        try {
+            writer.setPrefix(prefix, nsURI);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write an attribute
+     *
+     * @param writer
+     * @param attributeName QName of the attribute
+     * @param attributeValue
+     *
+     * @throws ProcessingException
+     */
+    public static void writeAttribute(XMLStreamWriter writer, String attributeName, QName attributeValue)
+            throws ProcessingException {
+        writeAttribute(writer, attributeName, attributeValue.toString());
+    }
+
+    /**
+     * Write an attribute
+     *
+     * @param writer
+     * @param attributeName QName of the attribute
+     * @param attributeValue
+     *
+     * @throws ProcessingException
+     */
+    public static void writeAttribute(XMLStreamWriter writer, QName attributeName, String attributeValue)
+            throws ProcessingException {
+        try {
+            writer.writeAttribute(attributeName.getPrefix(), attributeName.getNamespaceURI(), attributeName.getLocalPart(),
+                    attributeValue);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write an xml attribute
+     *
+     * @param writer
+     * @param localName localpart
+     * @param value value of the attribute
+     *
+     * @throws ProcessingException
+     */
+    public static void writeAttribute(XMLStreamWriter writer, String localName, String value) throws ProcessingException {
+        try {
+            writer.writeAttribute(localName, value);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write an xml attribute
+     *
+     * @param writer
+     * @param localName localpart
+     * @param type typically xsi:type
+     * @param value value of the attribute
+     *
+     * @throws ProcessingException
+     */
+    public static void writeAttribute(XMLStreamWriter writer, String localName, String type, String value)
+            throws ProcessingException {
+        try {
+            writer.writeAttribute(localName, type, value);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write an xml attribute
+     *
+     * @param writer
+     * @param prefix prefix for the attribute
+     * @param localName localpart
+     * @param type typically xsi:type
+     * @param value value of the attribute
+     *
+     * @throws ProcessingException
+     */
+    public static void writeAttribute(XMLStreamWriter writer, String prefix, String localName, String type, String value)
+            throws ProcessingException {
+        try {
+            writer.writeAttribute(prefix, localName, type, value);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write a string as text node
+     *
+     * @param writer
+     * @param value
+     *
+     * @throws ProcessingException
+     */
+    public static void writeCharacters(XMLStreamWriter writer, String value) throws ProcessingException {
+        try {
+            writer.writeCharacters(value);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write a string as text node
+     *
+     * @param writer
+     * @param value
+     *
+     * @throws ProcessingException
+     */
+    public static void writeCData(XMLStreamWriter writer, String value) throws ProcessingException {
+        try {
+            writer.writeCData(value);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write the default namespace
+     *
+     * @param writer
+     * @param ns
+     *
+     * @throws ProcessingException
+     */
+    public static void writeDefaultNameSpace(XMLStreamWriter writer, String ns) throws ProcessingException {
+        try {
+            writer.writeDefaultNamespace(ns);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write a DOM Node to the stream
+     *
+     * @param writer
+     * @param node
+     *
+     * @throws ProcessingException
+     */
+    public static void writeDOMNode(XMLStreamWriter writer, Node node) throws ProcessingException {
+        try {
+            short nodeType = node.getNodeType();
+
+            switch (nodeType) {
+                case Node.ELEMENT_NODE:
+                    writeDOMElement(writer, (Element) node);
+                    break;
+                case Node.TEXT_NODE:
+                    writer.writeCharacters(node.getNodeValue());
+                    break;
+                case Node.COMMENT_NODE:
+                    writer.writeComment(node.getNodeValue());
+                    break;
+                case Node.CDATA_SECTION_NODE:
+                    writer.writeCData(node.getNodeValue());
+                    break;
+                default:
+                    // Don't care
+            }
+        } catch (DOMException e) {
+            throw logger.processingError(e);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write DOM Element to the stream
+     *
+     * @param writer
+     * @param domElement
+     *
+     * @throws ProcessingException
+     */
+    public static void writeDOMElement(XMLStreamWriter writer, Element domElement) throws ProcessingException {
+        if (registeredNSStack.get() == null) {
+            registeredNSStack.set(new Stack<String>());
+        }
+        String domElementPrefix = domElement.getPrefix();
+
+        if (domElementPrefix == null) {
+            domElementPrefix = "";
+        }
+
+        String domElementNS = domElement.getNamespaceURI();
+        if (domElementNS == null) {
+            domElementNS = "";
+        }
+
+        writeStartElement(writer, domElementPrefix, domElement.getLocalName(), domElementNS);
+
+        // Should we register namespace
+        if (domElementPrefix != "" && !registeredNSStack.get().contains(domElementNS)) {
+            // writeNameSpace(writer, domElementPrefix, domElementNS );
+            registeredNSStack.get().push(domElementNS);
+        } else if (domElementPrefix == "" && domElementNS != null) {
+            writeNameSpace(writer, "xmlns", domElementNS);
+        }
+
+        // Deal with Attributes
+        NamedNodeMap attrs = domElement.getAttributes();
+        for (int i = 0, len = attrs.getLength(); i < len; ++i) {
+            Attr attr = (Attr) attrs.item(i);
+            String attributePrefix = attr.getPrefix();
+            String attribLocalName = attr.getLocalName();
+            String attribValue = attr.getValue();
+
+            if (attributePrefix == null || attributePrefix.length() == 0) {
+                if (!("xmlns".equals(attribLocalName))) {
+                    writeAttribute(writer, attribLocalName, attribValue);
+                }
+            } else {
+                if ("xmlns".equals(attributePrefix)) {
+                    writeNameSpace(writer, attribLocalName, attribValue);
+                } else {
+                    writeAttribute(writer, new QName(attr.getNamespaceURI(), attribLocalName, attributePrefix), attribValue);
+                }
+            }
+        }
+
+        for (Node child = domElement.getFirstChild(); child != null; child = child.getNextSibling()) {
+            writeDOMNode(writer, child);
+        }
+
+        writeEndElement(writer);
+    }
+
+    /**
+     * Write a namespace
+     *
+     * @param writer
+     * @param prefix prefix
+     * @param ns Namespace URI
+     *
+     * @throws ProcessingException
+     */
+    public static void writeNameSpace(XMLStreamWriter writer, String prefix, String ns) throws ProcessingException {
+        try {
+            writer.writeNamespace(prefix, ns);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Write a start element
+     *
+     * @param writer
+     * @param prefix
+     * @param localPart
+     * @param ns
+     *
+     * @throws ProcessingException
+     */
+    public static void writeStartElement(XMLStreamWriter writer, String prefix, String localPart, String ns)
+            throws ProcessingException {
+        try {
+            writer.writeStartElement(prefix, localPart, ns);
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * <p> Write an end element. The stream writer keeps track of which start element needs to be closed with an end
+     * tag. </p>
+     *
+     * @param writer
+     *
+     * @throws ProcessingException
+     */
+    public static void writeEndElement(XMLStreamWriter writer) throws ProcessingException {
+        try {
+            writer.writeEndElement();
+        } catch (XMLStreamException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    private static XMLOutputFactory getXMLOutputFactory() {
+        boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
+                .equalsIgnoreCase("true");
+        ClassLoader prevTCCL = SecurityActions.getTCCL();
+        try {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(StaxUtil.class.getClassLoader());
+            }
+            return XMLOutputFactory.newInstance();
+        } finally {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(prevTCCL);
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/util/StringUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/StringUtil.java
new file mode 100755
index 0000000000..9157982552
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/StringUtil.java
@@ -0,0 +1,229 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.PicketLinkCommonConstants;
+
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.crypto.spec.PBEParameterSpec;
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.StringTokenizer;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * Utility dealing with Strings
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 21, 2009
+ */
+public class StringUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Check whether the passed string is null or empty
+     *
+     * @param str
+     *
+     * @return
+     */
+    public static boolean isNotNull(String str) {
+        return str != null && !"".equals(str.trim());
+    }
+
+    /**
+     * Check whether the string is null or empty
+     *
+     * @param str
+     *
+     * @return
+     */
+    public static boolean isNullOrEmpty(String str) {
+        return str == null || str.isEmpty();
+    }
+
+    /**
+     * <p>
+     * Get the system property value if the string is of the format ${sysproperty}
+     * </p>
+     * <p>
+     * You can insert default value when the system property is not set, by separating it at the beginning with ::
+     * </p>
+     * <p>
+     * <b>Examples:</b>
+     * </p>
+     *
+     * <p>
+     * ${idp} should resolve to a value if the system property "idp" is set.
+     * </p>
+     * <p>
+     * ${idp::http://localhost:8080} will resolve to http://localhost:8080 if the system property "idp" is not set.
+     * </p>
+     *
+     * @param str
+     *
+     * @return
+     */
+    public static String getSystemPropertyAsString(String str) {
+        if (str == null)
+            throw logger.nullArgumentError("str");
+        if (str.contains("${")) {
+            Pattern pattern = Pattern.compile("\\$\\{([^}]+)}");
+            Matcher matcher = pattern.matcher(str);
+
+            StringBuffer buffer = new StringBuffer();
+            String sysPropertyValue = null;
+
+            while (matcher.find()) {
+                String subString = matcher.group(1);
+                String defaultValue = "";
+
+                // Look for default value
+                if (subString.contains("::")) {
+                    int index = subString.indexOf("::");
+                    defaultValue = subString.substring(index + 2);
+                    subString = subString.substring(0, index);
+                }
+                sysPropertyValue = SecurityActions.getSystemProperty(subString, defaultValue);
+                if (sysPropertyValue.isEmpty()) {
+                    throw logger.systemPropertyMissingError(matcher.group(1));
+                }else{
+                    // sanitize the value before we use append-and-replace
+                    sysPropertyValue = Matcher.quoteReplacement(sysPropertyValue);
+                }
+                matcher.appendReplacement(buffer, sysPropertyValue);
+            }
+
+            matcher.appendTail(buffer);
+            str = buffer.toString();
+        }
+        return str;
+    }
+
+    /**
+     * Match two strings else throw a {@link RuntimeException}
+     *
+     * @param first
+     * @param second
+     */
+    public static void match(String first, String second) {
+        if (first.equals(second) == false)
+            throw logger.notEqualError(first, second);
+    }
+
+    /**
+     * Given a comma separated string, get the tokens as a {@link List}
+     *
+     * @param str
+     *
+     * @return
+     */
+    public static List<String> tokenize(String str) {
+        return tokenize(str, ",");
+    }
+
+    /**
+     * Given a delimited string, get the tokens as a {@link List}
+     *
+     * @param str
+     * @param delimiter the delimiter
+     *
+     * @return
+     */
+    public static List<String> tokenize(String str, String delimiter) {
+        List<String> list = new ArrayList<String>();
+        StringTokenizer tokenizer = new StringTokenizer(str, delimiter);
+        while (tokenizer.hasMoreTokens()) {
+            list.add(tokenizer.nextToken());
+        }
+        return list;
+    }
+
+    /**
+     * Given a string that is comma delimited and contains key-value pairs
+     *
+     * @param keyValuePairString
+     *
+     * @return
+     */
+    public static Map<String, String> tokenizeKeyValuePair(String keyValuePairString) {
+        Map<String, String> map = new HashMap<String, String>();
+
+        List<String> tokens = tokenize(keyValuePairString);
+        for (String token : tokens) {
+            int location = token.indexOf('=');
+            map.put(token.substring(0, location), token.substring(location + 1));
+        }
+        return map;
+    }
+
+    /**
+     * Given a masked password {@link String}, decode it
+     *
+     * @param maskedString a password string that is masked
+     * @param salt Salt
+     * @param iterationCount Iteration Count
+     *
+     * @return Decoded String
+     *
+     * @throws Exception
+     */
+    public static String decode(String maskedString, String salt, int iterationCount) throws Exception {
+        String pbeAlgo = PicketLinkCommonConstants.PBE_ALGORITHM;
+        if (maskedString.startsWith(PicketLinkCommonConstants.PASS_MASK_PREFIX)) {
+            // Create the PBE secret key
+            SecretKeyFactory factory = SecretKeyFactory.getInstance(pbeAlgo);
+
+            char[] password = "somearbitrarycrazystringthatdoesnotmatter".toCharArray();
+            PBEParameterSpec cipherSpec = new PBEParameterSpec(salt.getBytes(), iterationCount);
+            PBEKeySpec keySpec = new PBEKeySpec(password);
+            SecretKey cipherKey = factory.generateSecret(keySpec);
+
+            maskedString = maskedString.substring(PicketLinkCommonConstants.PASS_MASK_PREFIX.length());
+            String decodedValue = PBEUtils.decode64(maskedString, pbeAlgo, cipherKey, cipherSpec);
+
+            maskedString = decodedValue;
+        }
+        return maskedString;
+    }
+
+    public static String[] split(String toSplit, String delimiter) {
+        if (delimiter.length() != 1) {
+            throw new IllegalArgumentException("Delimiter can only be one character in length");
+        }
+
+        int offset = toSplit.indexOf(delimiter);
+
+        if (offset < 0) {
+            return null;
+        }
+
+        String beforeDelimiter = toSplit.substring(0, offset);
+        String afterDelimiter = toSplit.substring(offset + 1);
+
+        return new String[]{beforeDelimiter, afterDelimiter};
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/util/SystemPropertiesUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/SystemPropertiesUtil.java
new file mode 100755
index 0000000000..28dd35c4c2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/SystemPropertiesUtil.java
@@ -0,0 +1,64 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.util;
+
+import javax.xml.XMLConstants;
+
+/**
+ * Utility dealing with the system properties at the JVM level for PicketLink
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jul 1, 2011
+ */
+public class SystemPropertiesUtil {
+    static {
+        // XML Signature
+        String xmlSec = "org.apache.xml.security.ignoreLineBreaks";
+        if (StringUtil.isNullOrEmpty(SecurityActions.getSystemProperty(xmlSec, ""))) {
+            SecurityActions.setSystemProperty(xmlSec, "true");
+        }
+
+        // For JAXP Validation
+        String schemaFactoryProperty = "javax.xml.validation.SchemaFactory:" + XMLConstants.W3C_XML_SCHEMA_NS_URI;
+        if (StringUtil.isNullOrEmpty(SecurityActions.getSystemProperty(schemaFactoryProperty, ""))) {
+            SecurityActions.setSystemProperty(schemaFactoryProperty, "org.apache.xerces.jaxp.validation.XMLSchemaFactory");
+        }
+
+        // For the XACML Engine
+        String xacmlValidation = "org.jboss.security.xacml.schema.validation";
+        if (StringUtil.isNullOrEmpty(SecurityActions.getSystemProperty(xacmlValidation, ""))) {
+            SecurityActions.setSystemProperty(xacmlValidation, "false");
+        }
+    };
+
+    /**
+     * No-op call such that the default system properties are set
+     */
+    public static void ensure() {
+    }
+
+    /**
+     * Get the System Property
+     * @param key key of the system property
+     * @param defaultValue default value to be returned if the system property is not set
+     * @return
+     */
+    public static String getSystemProperty(final String key, final String defaultValue){
+        return SecurityActions.getSystemProperty(key,defaultValue);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java
new file mode 100755
index 0000000000..dd4a9d0e1f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/common/util/TransformerUtil.java
@@ -0,0 +1,431 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.common.util;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.util.JAXBSource;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.Characters;
+import javax.xml.stream.events.Comment;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.Namespace;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+import javax.xml.transform.ErrorListener;
+import javax.xml.transform.OutputKeys;
+import javax.xml.transform.Result;
+import javax.xml.transform.Source;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.transform.URIResolver;
+import javax.xml.transform.dom.DOMResult;
+import javax.xml.transform.stax.StAXSource;
+import java.util.Iterator;
+import java.util.Properties;
+import java.util.Stack;
+
+/**
+ * Utility to deal with JAXP Transformer
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 22, 2010
+ */
+public class TransformerUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private static TransformerFactory transformerFactory;
+
+    /**
+     * Get the Default Transformer
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ConfigurationException
+     */
+    public static Transformer getTransformer() throws ConfigurationException {
+        Transformer transformer;
+        try {
+            transformer = getTransformerFactory().newTransformer();
+        } catch (TransformerConfigurationException e) {
+            throw logger.configurationError(e);
+        } catch (TransformerFactoryConfigurationError e) {
+            throw logger.configurationError(e);
+        }
+
+        transformer.setOutputProperty(OutputKeys.OMIT_XML_DECLARATION, "yes");
+        transformer.setOutputProperty(OutputKeys.INDENT, "no");
+
+        return transformer;
+    }
+
+    /**
+     * <p>Creates a {@link TransformerFactory}. The returned instance is cached and shared between different
+     * threads.</p>
+     *
+     * @return
+     *
+     * @throws TransformerFactoryConfigurationError
+     */
+    public static TransformerFactory getTransformerFactory() throws TransformerFactoryConfigurationError {
+        if (transformerFactory == null) {
+            boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
+                    .equalsIgnoreCase("true");
+            ClassLoader prevTCCL = SecurityActions.getTCCL();
+            try {
+                if (tccl_jaxp) {
+                    SecurityActions.setTCCL(TransformerUtil.class.getClassLoader());
+                }
+                transformerFactory = TransformerFactory.newInstance();
+            } finally {
+                if (tccl_jaxp) {
+                    SecurityActions.setTCCL(prevTCCL);
+                }
+            }
+        }
+
+        return transformerFactory;
+    }
+
+    /**
+     * Get the Custom Stax Source to DOM result transformer that has been written to get over the JDK transformer bugs
+     * (JDK6) as well as the issue of Xalan installing its Transformer (which does not support stax).
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static Transformer getStaxSourceToDomResultTransformer() throws ConfigurationException {
+        return new PicketLinkStaxToDOMTransformer();
+    }
+
+    /**
+     * Use the transformer to transform
+     *
+     * @param transformer
+     * @param stax
+     * @param result
+     *
+     * @throws org.keycloak.saml.common.exceptions.ParsingException
+     */
+    public static void transform(Transformer transformer, StAXSource stax, DOMResult result) throws ParsingException {
+        transform(transformer, (Source) stax, result);
+    }
+
+    /**
+     * Use the transformer to transform
+     *
+     * @param transformer
+     * @param source
+     * @param result
+     *
+     * @throws ParsingException
+     */
+    public static void transform(Transformer transformer, Source source, DOMResult result) throws ParsingException {
+        boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false").equalsIgnoreCase("true");
+        ClassLoader prevCL = SecurityActions.getTCCL();
+        try {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(TransformerUtil.class.getClassLoader());
+            }
+            transformer.transform(source, result);
+        } catch (TransformerException e) {
+            throw logger.parserError(e);
+        } finally {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(prevCL);
+            }
+        }
+    }
+
+    public static void transform(JAXBContext context, JAXBElement<?> jaxb, Result result) throws ParsingException {
+        try {
+            Transformer transformer = getTransformer();
+            JAXBSource jaxbSource = new JAXBSource(context, jaxb);
+
+            transformer.transform(jaxbSource, result);
+        } catch (Exception e) {
+            throw logger.parserError(e);
+        }
+    }
+
+    /**
+     * Custom Project {@code Transformer} that can take in a {@link StAXSource} and transform into {@link DOMResult}
+     *
+     * @author anil
+     */
+    private static class PicketLinkStaxToDOMTransformer extends Transformer {
+        @Override
+        public void transform(Source xmlSource, Result outputTarget) throws TransformerException {
+            if (!(xmlSource instanceof StAXSource))
+                throw logger.wrongTypeError("xmlSource should be a stax source");
+            if (outputTarget instanceof DOMResult == false)
+                throw logger.wrongTypeError("outputTarget should be a dom result");
+
+            String rootTag = null;
+
+            StAXSource staxSource = (StAXSource) xmlSource;
+            XMLEventReader xmlEventReader = staxSource.getXMLEventReader();
+            if (xmlEventReader == null)
+                throw new TransformerException(logger.nullValueError("XMLEventReader"));
+
+            DOMResult domResult = (DOMResult) outputTarget;
+            Document doc = (Document) domResult.getNode();
+
+            Stack<Node> stack = new Stack<Node>();
+
+            try {
+                XMLEvent xmlEvent = StaxParserUtil.getNextEvent(xmlEventReader);
+                if (xmlEvent instanceof StartElement == false)
+                    throw new TransformerException(ErrorCodes.WRITER_SHOULD_START_ELEMENT);
+
+                StartElement rootElement = (StartElement) xmlEvent;
+                rootTag = StaxParserUtil.getStartElementName(rootElement);
+                Element docRoot = handleStartElement(xmlEventReader, rootElement, new CustomHolder(doc, false));
+                Node parent = doc.importNode(docRoot, true);
+                doc.appendChild(parent);
+
+                stack.push(parent);
+
+                while (xmlEventReader.hasNext()) {
+                    xmlEvent = StaxParserUtil.getNextEvent(xmlEventReader);
+                    int type = xmlEvent.getEventType();
+                    switch (type) {
+                        case XMLEvent.START_ELEMENT:
+                            StartElement startElement = (StartElement) xmlEvent;
+                            CustomHolder holder = new CustomHolder(doc, false);
+                            Element docStartElement = handleStartElement(xmlEventReader, startElement, holder);
+                            Node el = doc.importNode(docStartElement, true);
+
+                            Node top = null;
+
+                            if (!stack.isEmpty()) {
+                                top = stack.peek();
+                            }
+
+                            if (!holder.encounteredTextNode) {
+                                stack.push(el);
+                            }
+
+                            if (top == null)
+                                doc.appendChild(el);
+                            else
+                                top.appendChild(el);
+                            break;
+                        case XMLEvent.END_ELEMENT:
+                            EndElement endElement = (EndElement) xmlEvent;
+                            String endTag = StaxParserUtil.getEndElementName(endElement);
+                            if (rootTag.equals(endTag))
+                                return; // We are done with the dom parsing
+                            else {
+                                if (!stack.isEmpty())
+                                    stack.pop();
+                            }
+                            break;
+                    }
+                }
+            } catch (Exception e) {
+                throw new TransformerException(e);
+            }
+        }
+
+        @Override
+        public void setParameter(String name, Object value) {
+        }
+
+        @Override
+        public Object getParameter(String name) {
+            return null;
+        }
+
+        @Override
+        public void clearParameters() {
+        }
+
+        @Override
+        public void setURIResolver(URIResolver resolver) {
+        }
+
+        @Override
+        public URIResolver getURIResolver() {
+            return null;
+        }
+
+        @Override
+        public void setOutputProperties(Properties oformat) {
+        }
+
+        @Override
+        public Properties getOutputProperties() {
+            return null;
+        }
+
+        @Override
+        public void setOutputProperty(String name, String value) throws IllegalArgumentException {
+        }
+
+        @Override
+        public String getOutputProperty(String name) throws IllegalArgumentException {
+            return null;
+        }
+
+        @Override
+        public void setErrorListener(ErrorListener listener) throws IllegalArgumentException {
+        }
+
+        @Override
+        public ErrorListener getErrorListener() {
+            return null;
+        }
+
+        private Element handleStartElement(XMLEventReader xmlEventReader, StartElement startElement, CustomHolder holder)
+                throws ParsingException, ProcessingException {
+            Document doc = holder.doc;
+
+            QName elementName = startElement.getName();
+            String ns = elementName.getNamespaceURI();
+            String prefix = elementName.getPrefix();
+            String localPart = elementName.getLocalPart();
+
+            String qual = prefix != null && prefix != "" ? prefix + ":" + localPart : localPart;
+
+            Element el = doc.createElementNS(ns, qual);
+
+            String containsBaseNamespace = containsBaseNamespace(startElement);
+            if (StringUtil.isNotNull(containsBaseNamespace)) {
+                el = DocumentUtil.createDocumentWithBaseNamespace(containsBaseNamespace, localPart).getDocumentElement();
+                el = (Element) doc.importNode(el, true);
+            }
+            if (StringUtil.isNotNull(prefix)) {
+                el.setPrefix(prefix);
+            }
+
+            // Look for attributes
+            @SuppressWarnings("unchecked")
+            Iterator<Attribute> attrs = startElement.getAttributes();
+            while (attrs != null && attrs.hasNext()) {
+                Attribute attr = attrs.next();
+                QName attrName = attr.getName();
+                ns = attrName.getNamespaceURI();
+                prefix = attrName.getPrefix();
+                localPart = attrName.getLocalPart();
+                qual = prefix != null && prefix != "" ? prefix + ":" + localPart : localPart;
+
+                if (logger.isTraceEnabled()) {
+                    logger.trace("Creating an Attribute Namespace=" + ns + ":" + qual);
+                }
+                doc.createAttributeNS(ns, qual);
+                el.setAttributeNS(ns, qual, attr.getValue());
+            }
+
+            // look for namespaces
+            @SuppressWarnings("unchecked")
+            Iterator<Namespace> namespaces = startElement.getNamespaces();
+            while (namespaces != null && namespaces.hasNext()) {
+                Namespace namespace = namespaces.next();
+                QName name = namespace.getName();
+                localPart = name.getLocalPart();
+                prefix = name.getPrefix();
+                if (prefix != null && prefix != "")
+                    qual = (localPart != null && localPart != "") ? prefix + ":" + localPart : prefix;
+
+                if (qual.equals("xmlns"))
+                    continue;
+                if (logger.isTraceEnabled()) {
+                    logger.trace("Set Attribute Namespace=" + name.getNamespaceURI() + "::Qual=:" + qual + "::Value="
+                            + namespace.getNamespaceURI());
+                }
+                if (qual != null && qual.startsWith("xmlns")) {
+                    el.setAttributeNS(name.getNamespaceURI(), qual, namespace.getNamespaceURI());
+                }
+            }
+
+            XMLEvent nextEvent = StaxParserUtil.peek(xmlEventReader);
+            if (nextEvent instanceof Comment) {
+                Comment commentEvent = (Comment) nextEvent;
+                Node commentNode = doc.createComment(commentEvent.getText());
+                commentNode = doc.importNode(commentNode, true);
+                el.appendChild(commentNode);
+            } else if (nextEvent.getEventType() == XMLEvent.CHARACTERS) {
+                Characters characterEvent = (Characters) nextEvent;
+                String trimmedData = characterEvent.getData().trim();
+
+                if (trimmedData != null && trimmedData.length() > 0) {
+                    holder.encounteredTextNode = true;
+                    try {
+                        String text = StaxParserUtil.getElementText(xmlEventReader);
+
+                        Node textNode = doc.createTextNode(text);
+                        textNode = doc.importNode(textNode, true);
+                        el.appendChild(textNode);
+                    } catch (Exception e) {
+                        throw logger.parserException(e);
+                    }
+                }
+            }
+            return el;
+        }
+
+        @SuppressWarnings("unchecked")
+        private String containsBaseNamespace(StartElement startElement) {
+            String localPart, prefix, qual = null;
+
+            Iterator<Namespace> namespaces = startElement.getNamespaces();
+            while (namespaces != null && namespaces.hasNext()) {
+                Namespace namespace = namespaces.next();
+                QName name = namespace.getName();
+                localPart = name.getLocalPart();
+                prefix = name.getPrefix();
+                if (prefix != null && prefix != "")
+                    qual = (localPart != null && localPart != "") ? prefix + ":" + localPart : prefix;
+
+                if (qual != null && qual.equals("xmlns"))
+                    return namespace.getNamespaceURI();
+            }
+            return null;
+        }
+
+        private class CustomHolder {
+            public Document doc;
+
+            public boolean encounteredTextNode = false;
+
+            public CustomHolder(Document document, boolean bool) {
+                this.doc = document;
+                this.encounteredTextNode = bool;
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/request/SAML2Request.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/request/SAML2Request.java
new file mode 100755
index 0000000000..906d9088af
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/request/SAML2Request.java
@@ -0,0 +1,336 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.api.saml.v2.request;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.dom.saml.v2.SAML2Object;
+import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
+import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
+import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.saml.processing.core.saml.v2.writers.SAMLRequestWriter;
+import org.keycloak.saml.processing.core.saml.v2.writers.SAMLResponseWriter;
+import org.keycloak.saml.processing.core.util.JAXPValidationUtil;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
+import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
+import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
+import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Writer;
+import java.net.URI;
+import java.net.URL;
+
+/**
+ * API for SAML2 Request
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 5, 2009
+ */
+public class SAML2Request {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private SAMLDocumentHolder samlDocumentHolder = null;
+
+    private String nameIDFormat = JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get();
+
+    /**
+     * Set the NameIDFormat
+     *
+     * @param nameIDFormat
+     */
+    public void setNameIDFormat(String nameIDFormat) {
+        this.nameIDFormat = nameIDFormat;
+    }
+
+    /**
+     * Create an authentication request
+     *
+     * @param id
+     * @param assertionConsumerURL
+     * @param destination
+     * @param issuerValue
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public AuthnRequestType createAuthnRequestType(String id, String assertionConsumerURL, String destination,
+                                                   String issuerValue) throws ConfigurationException {
+        XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
+
+        AuthnRequestType authnRequest = new AuthnRequestType(id, issueInstant);
+        authnRequest.setAssertionConsumerServiceURL(URI.create(assertionConsumerURL));
+        authnRequest.setProtocolBinding(URI.create(JBossSAMLConstants.HTTP_POST_BINDING.get()));
+        if (destination != null) {
+            authnRequest.setDestination(URI.create(destination));
+        }
+
+        // Create an issuer
+        NameIDType issuer = new NameIDType();
+        issuer.setValue(issuerValue);
+
+        authnRequest.setIssuer(issuer);
+
+        // Create a default NameIDPolicy
+        NameIDPolicyType nameIDPolicy = new NameIDPolicyType();
+        nameIDPolicy.setAllowCreate(Boolean.TRUE);
+        nameIDPolicy.setFormat(URI.create(this.nameIDFormat));
+
+        authnRequest.setNameIDPolicy(nameIDPolicy);
+
+        return authnRequest;
+    }
+
+    /**
+     * Get AuthnRequestType from a file
+     *
+     * @param fileName file with the serialized AuthnRequestType
+     *
+     * @return AuthnRequestType
+     *
+     * @throws ParsingException
+     * @throws ProcessingException
+     * @throws ConfigurationException
+     * @throws IllegalArgumentException if the input fileName is null IllegalStateException if the InputStream from the
+     * fileName
+     * is null
+     */
+    public AuthnRequestType getAuthnRequestType(String fileName) throws ConfigurationException, ProcessingException,
+            ParsingException {
+        if (fileName == null)
+            throw logger.nullArgumentError("fileName");
+        URL resourceURL = SecurityActions.loadResource(getClass(), fileName);
+        if (resourceURL == null)
+            throw logger.resourceNotFound(fileName);
+
+        InputStream is = null;
+        try {
+            is = resourceURL.openStream();
+        } catch (IOException e) {
+            throw logger.processingError(e);
+        }
+        return getAuthnRequestType(is);
+    }
+
+    /**
+     * Get the Underlying SAML2Object from the input stream
+     *
+     * @param is
+     *
+     * @return
+     *
+     * @throws IOException
+     * @throws ParsingException
+     */
+    public SAML2Object getSAML2ObjectFromStream(InputStream is) throws ConfigurationException, ParsingException,
+            ProcessingException {
+        if (is == null)
+            throw logger.nullArgumentError("InputStream");
+
+        Document samlDocument = DocumentUtil.getDocument(is);
+
+        SAMLParser samlParser = new SAMLParser();
+        JAXPValidationUtil.checkSchemaValidation(samlDocument);
+        SAML2Object requestType = (SAML2Object) samlParser.parse(DocumentUtil.getNodeAsStream(samlDocument));
+
+        samlDocumentHolder = new SAMLDocumentHolder(requestType, samlDocument);
+        return requestType;
+    }
+
+    /**
+     * Get a Request Type from Input Stream
+     *
+     * @param is
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     * @throws ConfigurationException
+     * @throws
+     * @throws IllegalArgumentException inputstream is null
+     */
+    public RequestAbstractType getRequestType(InputStream is) throws ParsingException, ConfigurationException,
+            ProcessingException {
+        if (is == null)
+            throw logger.nullArgumentError("InputStream");
+
+        Document samlDocument = DocumentUtil.getDocument(is);
+
+        SAMLParser samlParser = new SAMLParser();
+        JAXPValidationUtil.checkSchemaValidation(samlDocument);
+        RequestAbstractType requestType = (RequestAbstractType) samlParser.parse(DocumentUtil.getNodeAsStream(samlDocument));
+
+        samlDocumentHolder = new SAMLDocumentHolder(requestType, samlDocument);
+        return requestType;
+    }
+
+    /**
+     * Get the AuthnRequestType from an input stream
+     *
+     * @param is Inputstream containing the AuthnRequest
+     *
+     * @return
+     *
+     * @throws ParsingException
+     * @throws ProcessingException
+     * @throws ConfigurationException
+     * @throws IllegalArgumentException inputstream is null
+     */
+    public AuthnRequestType getAuthnRequestType(InputStream is) throws ConfigurationException, ProcessingException,
+            ParsingException {
+        if (is == null)
+            throw logger.nullArgumentError("InputStream");
+
+        Document samlDocument = DocumentUtil.getDocument(is);
+
+        SAMLParser samlParser = new SAMLParser();
+        JAXPValidationUtil.checkSchemaValidation(samlDocument);
+
+        AuthnRequestType requestType = (AuthnRequestType) samlParser.parse(DocumentUtil.getNodeAsStream(samlDocument));
+        samlDocumentHolder = new SAMLDocumentHolder(requestType, samlDocument);
+        return requestType;
+    }
+
+    /**
+     * Get the parsed {@code SAMLDocumentHolder}
+     *
+     * @return
+     */
+    public SAMLDocumentHolder getSamlDocumentHolder() {
+        return samlDocumentHolder;
+    }
+
+    /**
+     * Create a Logout Request
+     *
+     * @param issuer
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public LogoutRequestType createLogoutRequest(String issuer) throws ConfigurationException {
+        LogoutRequestType lrt = new LogoutRequestType(IDGenerator.create("ID_"), XMLTimeUtil.getIssueInstant());
+
+        // Create an issuer
+        NameIDType issuerNameID = new NameIDType();
+        issuerNameID.setValue(issuer);
+
+        lrt.setIssuer(issuerNameID);
+
+        return lrt;
+    }
+
+    /**
+     * Return the DOM object
+     *
+     * @param rat
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     * @throws ParsingException
+     * @throws ConfigurationException
+     */
+    public Document convert(RequestAbstractType rat) throws ProcessingException, ConfigurationException, ParsingException {
+        ByteArrayOutputStream bos = new ByteArrayOutputStream();
+
+        SAMLRequestWriter writer = new SAMLRequestWriter(StaxUtil.getXMLStreamWriter(bos));
+        if (rat instanceof AuthnRequestType) {
+            writer.write((AuthnRequestType) rat);
+        } else if (rat instanceof LogoutRequestType) {
+            writer.write((LogoutRequestType) rat);
+        }
+
+        return DocumentUtil.getDocument(new String(bos.toByteArray()));
+    }
+
+    /**
+     * Convert a SAML2 Response into a Document
+     *
+     * @param responseType
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     * @throws ParsingException
+     * @throws ConfigurationException
+     */
+    public Document convert(ResponseType responseType) throws ProcessingException, ParsingException, ConfigurationException {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        SAMLResponseWriter writer = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(baos));
+        writer.write(responseType);
+
+        ByteArrayInputStream bis = new ByteArrayInputStream(baos.toByteArray());
+        return DocumentUtil.getDocument(bis);
+    }
+
+    /**
+     * Marshall the AuthnRequestType to an output stream
+     *
+     * @param requestType
+     * @param os
+     *
+     * @throws ProcessingException
+     */
+    public void marshall(RequestAbstractType requestType, OutputStream os) throws ProcessingException {
+        SAMLRequestWriter samlRequestWriter = new SAMLRequestWriter(StaxUtil.getXMLStreamWriter(os));
+        if (requestType instanceof AuthnRequestType) {
+            samlRequestWriter.write((AuthnRequestType) requestType);
+        } else if (requestType instanceof LogoutRequestType) {
+            samlRequestWriter.write((LogoutRequestType) requestType);
+        } else
+            throw logger.unsupportedType(requestType.getClass().getName());
+    }
+
+    /**
+     * Marshall the AuthnRequestType to a writer
+     *
+     * @param requestType
+     * @param writer
+     *
+     * @throws ProcessingException
+     */
+    public void marshall(RequestAbstractType requestType, Writer writer) throws ProcessingException {
+        SAMLRequestWriter samlRequestWriter = new SAMLRequestWriter(StaxUtil.getXMLStreamWriter(writer));
+        if (requestType instanceof AuthnRequestType) {
+            samlRequestWriter.write((AuthnRequestType) requestType);
+        } else if (requestType instanceof LogoutRequestType) {
+            samlRequestWriter.write((LogoutRequestType) requestType);
+        } else
+            throw logger.unsupportedType(requestType.getClass().getName());
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/request/SecurityActions.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/request/SecurityActions.java
new file mode 100755
index 0000000000..b384af8e6d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/request/SecurityActions.java
@@ -0,0 +1,166 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.api.saml.v2.request;
+
+import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Privileged Blocks
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 9, 2008
+ */
+class SecurityActions {
+
+    /**
+     * <p>
+     * Loads a {@link Class} using the <code>fullQualifiedName</code> supplied. This method tries first to load from
+     * the
+     * specified {@link Class}, if not found it will try to load from using TCL.
+     * </p>
+     *
+     * @param theClass
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final Class<?> theClass, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    ClassLoader classLoader = theClass.getClassLoader();
+
+                    Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+                    if (clazz == null) {
+                        classLoader = Thread.currentThread().getContextClassLoader();
+                        clazz = loadClass(classLoader, fullQualifiedName);
+                    }
+                    return clazz;
+                }
+            });
+        } else {
+            ClassLoader classLoader = theClass.getClassLoader();
+
+            Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+            if (clazz == null) {
+                classLoader = Thread.currentThread().getContextClassLoader();
+                clazz = loadClass(classLoader, fullQualifiedName);
+            }
+            return clazz;
+        }
+    }
+
+    /**
+     * <p>
+     * Loads a class from the specified {@link ClassLoader} using the <code>fullQualifiedName</code> supplied.
+     * </p>
+     *
+     * @param classLoader
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final ClassLoader classLoader, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    try {
+                        return classLoader.loadClass(fullQualifiedName);
+                    } catch (ClassNotFoundException e) {
+                    }
+                    return null;
+                }
+            });
+        } else {
+            try {
+                return classLoader.loadClass(fullQualifiedName);
+            } catch (ClassNotFoundException e) {
+            }
+            return null;
+        }
+    }
+
+    /**
+     * <p>Returns a system property value using the specified <code>key</code>. If not found the
+     * <code>defaultValue</code> will be returned.</p>
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static String getSystemProperty(final String key, final String defaultValue) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<String>() {
+                public String run() {
+                    return System.getProperty(key, defaultValue);
+                }
+            });
+        } else {
+            return System.getProperty(key, defaultValue);
+        }
+    }
+
+    /**
+     * Load a resource based on the passed {@link Class} classloader. Failing which try with the Thread Context CL
+     *
+     * @param clazz
+     * @param resourceName
+     *
+     * @return
+     */
+    static URL loadResource(final Class<?> clazz, final String resourceName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<URL>() {
+                public URL run() {
+                    URL url = null;
+                    ClassLoader clazzLoader = clazz.getClassLoader();
+                    url = clazzLoader.getResource(resourceName);
+
+                    if (url == null) {
+                        clazzLoader = Thread.currentThread().getContextClassLoader();
+                        url = clazzLoader.getResource(resourceName);
+                    }
+
+                    return url;
+                }
+            });
+        } else {
+            URL url = null;
+            ClassLoader clazzLoader = clazz.getClassLoader();
+            url = clazzLoader.getResource(resourceName);
+
+            if (url == null) {
+                clazzLoader = Thread.currentThread().getContextClassLoader();
+                url = clazzLoader.getResource(resourceName);
+            }
+
+            return url;
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java
new file mode 100755
index 0000000000..add73595bb
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SAML2Response.java
@@ -0,0 +1,543 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.api.saml.v2.response;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
+import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
+import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
+import org.keycloak.saml.processing.core.saml.v2.factories.JBossSAMLAuthnResponseFactory;
+import org.keycloak.saml.processing.core.saml.v2.factories.SAMLAssertionFactory;
+import org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.util.AssertionUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.saml.processing.core.saml.v2.writers.SAMLResponseWriter;
+import org.keycloak.saml.processing.core.util.JAXPValidationUtil;
+import org.keycloak.dom.saml.v2.SAML2Object;
+import org.keycloak.dom.saml.v2.assertion.ActionType;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextClassRefType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextType;
+import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
+import org.keycloak.dom.saml.v2.assertion.AuthzDecisionStatementType;
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.assertion.DecisionType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedElementType;
+import org.keycloak.dom.saml.v2.assertion.EvidenceType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.StatementAbstractType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.io.Writer;
+import java.net.URI;
+import java.util.Arrays;
+import java.util.LinkedList;
+import java.util.List;
+
+import static org.keycloak.saml.common.constants.JBossSAMLURIConstants.PROTOCOL_NSURI;
+
+/**
+ * API for dealing with SAML2 Response objects
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 5, 2009
+ */
+public class SAML2Response {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+    private long ASSERTION_VALIDITY = 5000; // 5secs in milis
+
+    private long CLOCK_SKEW = 2000; // 2secs
+
+    private SAMLDocumentHolder samlDocumentHolder = null;
+
+    /**
+     * Create an assertion
+     *
+     * @param id
+     * @param issuer
+     *
+     * @return
+     */
+    public AssertionType createAssertion(String id, NameIDType issuer) {
+        return AssertionUtil.createAssertion(id, issuer);
+    }
+
+    /**
+     * Create an AuthnStatement
+     *
+     * @param authnContextDeclRef such as JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT
+     * @param issueInstant
+     *
+     * @return
+     */
+    public AuthnStatementType createAuthnStatement(String authnContextDeclRef, XMLGregorianCalendar issueInstant) {
+        AuthnStatementType authnStatement = new AuthnStatementType(issueInstant);
+        AuthnContextType act = new AuthnContextType();
+        String authContextDeclRef = JBossSAMLURIConstants.AC_PASSWORD_PROTECTED_TRANSPORT.get();
+        act.addAuthenticatingAuthority(URI.create(authContextDeclRef));
+
+        AuthnContextType.AuthnContextTypeSequence sequence = act.new AuthnContextTypeSequence();
+        sequence.setClassRef(new AuthnContextClassRefType(URI.create(JBossSAMLURIConstants.AC_PASSWORD.get())));
+        act.setSequence(sequence);
+
+        authnStatement.setAuthnContext(act);
+        return authnStatement;
+    }
+
+    /**
+     * Create an Authorization Decision Statement Type
+     *
+     * @param resource
+     * @param decision
+     * @param evidence
+     * @param actions
+     *
+     * @return
+     */
+    public AuthzDecisionStatementType createAuthzDecisionStatementType(String resource, DecisionType decision,
+                                                                       EvidenceType evidence, ActionType... actions) {
+        AuthzDecisionStatementType authzDecST = new AuthzDecisionStatementType();
+        authzDecST.setResource(resource);
+        authzDecST.setDecision(decision);
+        if (evidence != null)
+            authzDecST.setEvidence(evidence);
+
+        if (actions != null) {
+            authzDecST.getAction().addAll(Arrays.asList(actions));
+        }
+
+        return authzDecST;
+    }
+
+    /**
+     * Construct a {@link ResponseType} without calling PicketLink STS for the assertion. The {@link AssertionType} is
+     * generated
+     * within this method
+     *
+     * @param ID id of the {@link ResponseType}
+     * @param sp
+     * @param idp
+     * @param issuerInfo
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ConfigurationException
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public ResponseType createResponseType(String ID, SPInfoHolder sp, IDPInfoHolder idp, IssuerInfoHolder issuerInfo,
+                                           AssertionType assertion) throws ConfigurationException, ProcessingException {
+        String responseDestinationURI = sp.getResponseDestinationURI();
+
+        XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
+
+        // Create assertion -> subject
+        SubjectType subjectType = new SubjectType();
+
+        // subject -> nameid
+        NameIDType nameIDType = new NameIDType();
+        nameIDType.setFormat(URI.create(idp.getNameIDFormat()));
+        nameIDType.setValue(idp.getNameIDFormatValue());
+
+        SubjectType.STSubType subType = new SubjectType.STSubType();
+        subType.addBaseID(nameIDType);
+        subjectType.setSubType(subType);
+
+        SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType();
+        subjectConfirmation.setMethod(idp.getSubjectConfirmationMethod());
+
+        SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType();
+        subjectConfirmationData.setInResponseTo(sp.getRequestID());
+        subjectConfirmationData.setRecipient(responseDestinationURI);
+        //subjectConfirmationData.setNotBefore(issueInstant);
+        subjectConfirmationData.setNotOnOrAfter(issueInstant);
+
+        subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
+
+        subjectType.addConfirmation(subjectConfirmation);
+
+        ConditionsType conditions = assertion.getConditions();
+        // Update the subjectConfirmationData expiry based on the assertion
+        if (conditions != null) {
+            subjectConfirmationData.setNotOnOrAfter(conditions.getNotOnOrAfter());
+            //Add conditions -> AudienceRestriction
+            AudienceRestrictionType audience = new AudienceRestrictionType();
+            audience.addAudience(URI.create(sp.getResponseDestinationURI()));
+            conditions.addCondition(audience);
+        }
+
+        ResponseType responseType = createResponseType(ID, issuerInfo, assertion);
+        // InResponseTo ID
+        responseType.setInResponseTo(sp.getRequestID());
+        // Destination
+        responseType.setDestination(responseDestinationURI);
+
+        return responseType;
+    }
+
+    /**
+     * Create a ResponseType
+     *
+     * <b>NOTE:</b>: The PicketLink STS is used to issue/update the assertion
+     *
+     * If you want to control over the assertion being issued, then use
+     * {@link #createResponseType(String, SPInfoHolder, IDPInfoHolder, IssuerInfoHolder, AssertionType)}
+     *
+     * @param ID id of the response
+     * @param sp holder with the information about the Service Provider
+     * @param idp holder with the information on the Identity Provider
+     * @param issuerInfo holder with information on the issuer
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     * @throws ProcessingException
+     */
+    public ResponseType createResponseType(String ID, SPInfoHolder sp, IDPInfoHolder idp, IssuerInfoHolder issuerInfo)
+            throws ConfigurationException, ProcessingException {
+        String responseDestinationURI = sp.getResponseDestinationURI();
+
+        XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
+
+        // Create assertion -> subject
+        SubjectType subjectType = new SubjectType();
+
+        // subject -> nameid
+        NameIDType nameIDType = new NameIDType();
+        nameIDType.setFormat(URI.create(idp.getNameIDFormat()));
+        nameIDType.setValue(idp.getNameIDFormatValue());
+
+        SubjectType.STSubType subType = new SubjectType.STSubType();
+        subType.addBaseID(nameIDType);
+        subjectType.setSubType(subType);
+
+        SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType();
+        subjectConfirmation.setMethod(idp.getSubjectConfirmationMethod());
+
+        SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType();
+        subjectConfirmationData.setInResponseTo(sp.getRequestID());
+        subjectConfirmationData.setRecipient(responseDestinationURI);
+        //subjectConfirmationData.setNotBefore(issueInstant);
+        subjectConfirmationData.setNotOnOrAfter(issueInstant);
+
+        subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
+
+        subjectType.addConfirmation(subjectConfirmation);
+
+        AssertionType assertionType = null;
+        NameIDType issuerID = issuerInfo.getIssuer();
+        try {
+            issueInstant = XMLTimeUtil.getIssueInstant();
+        } catch (ConfigurationException e) {
+            throw logger.processingError(e);
+        }
+        ConditionsType conditions = null;
+        List<StatementAbstractType> statements = new LinkedList<>();
+
+        // generate an id for the new assertion.
+        String assertionID = IDGenerator.create("ID_");
+
+        assertionType = SAMLAssertionFactory.createAssertion(assertionID, issuerID, issueInstant, conditions,
+                subjectType, statements);
+
+        try {
+            AssertionUtil.createTimedConditions(assertionType, ASSERTION_VALIDITY, CLOCK_SKEW);
+        } catch (ConfigurationException e) {
+            throw logger.processingError(e);
+        } catch (IssueInstantMissingException e) {
+            throw logger.processingError(e);
+        }
+
+        ResponseType responseType = createResponseType(ID, issuerInfo, assertionType);
+        // InResponseTo ID
+        responseType.setInResponseTo(sp.getRequestID());
+        // Destination
+        responseType.setDestination(responseDestinationURI);
+
+        return responseType;
+    }
+
+    /**
+     * Create an empty response type
+     *
+     * @return
+     */
+    public ResponseType createResponseType(String ID) {
+        try {
+            return new ResponseType(ID, XMLTimeUtil.getIssueInstant());
+        } catch (ConfigurationException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    /**
+     * Create a ResponseType
+     *
+     * @param ID
+     * @param issuerInfo
+     * @param assertion
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public ResponseType createResponseType(String ID, IssuerInfoHolder issuerInfo, AssertionType assertion)
+            throws ConfigurationException {
+        return JBossSAMLAuthnResponseFactory.createResponseType(ID, issuerInfo, assertion);
+    }
+
+    /**
+     * Create a ResponseType
+     *
+     * @param ID
+     * @param issuerInfo
+     * @param encryptedAssertion a DOM {@link Element} that represents an encrypted assertion
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public ResponseType createResponseType(String ID, IssuerInfoHolder issuerInfo, Element encryptedAssertion)
+            throws ConfigurationException {
+        return JBossSAMLAuthnResponseFactory.createResponseType(ID, issuerInfo, encryptedAssertion);
+    }
+
+    /**
+     * Add validity conditions to the SAML2 Assertion
+     *
+     * @param assertion
+     * @param durationInMilis
+     *
+     * @throws ConfigurationException
+     * @throws IssueInstantMissingException
+     */
+    public void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException,
+            IssueInstantMissingException {
+        AssertionUtil.createTimedConditions(assertion, durationInMilis);
+    }
+
+    /**
+     * Get an encrypted assertion from the stream
+     *
+     * @param is
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ParsingException
+     * @throws ProcessingException
+     * @throws ConfigurationException
+     */
+    public EncryptedAssertionType getEncryptedAssertion(InputStream is) throws ParsingException, ConfigurationException,
+            ProcessingException {
+        if (is == null)
+            throw logger.nullArgumentError("InputStream");
+
+        Document samlDocument = DocumentUtil.getDocument(is);
+        SAMLParser samlParser = new SAMLParser();
+        JAXPValidationUtil.checkSchemaValidation(samlDocument);
+
+        return (EncryptedAssertionType) samlParser.parse(DocumentUtil.getNodeAsStream(samlDocument));
+
+    }
+
+    /**
+     * Read an assertion from an input stream
+     *
+     * @param is
+     *
+     * @return
+     *
+     * @throws ParsingException
+     * @throws ProcessingException
+     * @throws ConfigurationException
+     */
+    public AssertionType getAssertionType(InputStream is) throws ParsingException, ConfigurationException, ProcessingException {
+        if (is == null)
+            throw logger.nullArgumentError("InputStream");
+        Document samlDocument = DocumentUtil.getDocument(is);
+
+        SAMLParser samlParser = new SAMLParser();
+        JAXPValidationUtil.checkSchemaValidation(samlDocument);
+        return (AssertionType) samlParser.parse(DocumentUtil.getNodeAsStream(samlDocument));
+    }
+
+    /**
+     * Get the parsed {@code SAMLDocumentHolder}
+     *
+     * @return
+     */
+    public SAMLDocumentHolder getSamlDocumentHolder() {
+        return samlDocumentHolder;
+    }
+
+    /**
+     * Read a ResponseType from an input stream
+     *
+     * @param is
+     *
+     * @return
+     *
+     * @throws ParsingException
+     * @throws ConfigurationException
+     */
+    public ResponseType getResponseType(InputStream is) throws ParsingException, ConfigurationException, ProcessingException {
+        if (is == null)
+            throw logger.nullArgumentError("InputStream");
+
+        Document samlResponseDocument = DocumentUtil.getDocument(is);
+
+        SAMLParser samlParser = new SAMLParser();
+        JAXPValidationUtil.checkSchemaValidation(samlResponseDocument);
+
+        ResponseType responseType = (ResponseType) samlParser.parse(DocumentUtil.getNodeAsStream(samlResponseDocument));
+
+        samlDocumentHolder = new SAMLDocumentHolder(responseType, samlResponseDocument);
+        return responseType;
+    }
+
+    /**
+     * Read a {@code SAML2Object} from an input stream
+     *
+     * @param is
+     *
+     * @return
+     *
+     * @throws ParsingException
+     * @throws ConfigurationException
+     * @throws ProcessingException
+     */
+    public SAML2Object getSAML2ObjectFromStream(InputStream is) throws ParsingException, ConfigurationException,
+            ProcessingException {
+        if (is == null)
+            throw logger.nullArgumentError("InputStream");
+
+        Document samlResponseDocument = DocumentUtil.getDocument(is);
+
+        if (logger.isTraceEnabled()) {
+            logger.trace("SAML Response Document: " + DocumentUtil.asString(samlResponseDocument));
+        }
+
+        SAMLParser samlParser = new SAMLParser();
+        JAXPValidationUtil.checkSchemaValidation(samlResponseDocument);
+
+        InputStream responseStream = DocumentUtil.getNodeAsStream(samlResponseDocument);
+        SAML2Object responseType = (SAML2Object) samlParser.parse(responseStream);
+
+        samlDocumentHolder = new SAMLDocumentHolder(responseType, samlResponseDocument);
+        return responseType;
+
+    }
+
+    /**
+     * Convert an EncryptedElement into a Document
+     *
+     * @param encryptedElementType
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public Document convert(EncryptedElementType encryptedElementType) throws ConfigurationException {
+        if (encryptedElementType == null)
+            throw logger.nullArgumentError("encryptedElementType");
+        Document doc = DocumentUtil.createDocument();
+        Node importedNode = doc.importNode(encryptedElementType.getEncryptedElement(), true);
+        doc.appendChild(importedNode);
+
+        return doc;
+    }
+
+    /**
+     * Convert a SAML2 Response into a Document
+     *
+     * @param responseType
+     *
+     * @return
+     *
+     * @throws ParsingException
+     * @throws ConfigurationException
+     * @throws ProcessingException
+     */
+    public Document convert(StatusResponseType responseType) throws ProcessingException, ConfigurationException,
+            ParsingException {
+        ByteArrayOutputStream bos = new ByteArrayOutputStream();
+
+        SAMLResponseWriter writer = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(bos));
+
+        if (responseType instanceof ResponseType) {
+            ResponseType response = (ResponseType) responseType;
+            writer.write(response);
+        } else {
+            writer.write(responseType, new QName(PROTOCOL_NSURI.get(), JBossSAMLConstants.LOGOUT_RESPONSE.get(), "samlp"));
+        }
+
+        return DocumentUtil.getDocument(new ByteArrayInputStream(bos.toByteArray()));
+    }
+
+    /**
+     * Marshall the response type to the output stream
+     *
+     * @param responseType
+     * @param os
+     *
+     * @throws ProcessingException
+     */
+    public void marshall(ResponseType responseType, OutputStream os) throws ProcessingException {
+        SAMLResponseWriter samlWriter = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(os));
+        samlWriter.write(responseType);
+    }
+
+    /**
+     * Marshall the ResponseType into a writer
+     *
+     * @param responseType
+     * @param writer
+     *
+     * @throws ProcessingException
+     */
+    public void marshall(ResponseType responseType, Writer writer) throws ProcessingException {
+        SAMLResponseWriter samlWriter = new SAMLResponseWriter(StaxUtil.getXMLStreamWriter(writer));
+        samlWriter.write(responseType);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SecurityActions.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SecurityActions.java
new file mode 100755
index 0000000000..6cd7266223
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/response/SecurityActions.java
@@ -0,0 +1,122 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.api.saml.v2.response;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Privileged Blocks
+ */
+class SecurityActions {
+
+    /**
+     * <p>
+     * Loads a {@link Class} using the <code>fullQualifiedName</code> supplied. This method tries first to load from
+     * the
+     * specified {@link Class}, if not found it will try to load from using TCL.
+     * </p>
+     *
+     * @param theClass
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final Class<?> theClass, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    ClassLoader classLoader = theClass.getClassLoader();
+
+                    Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+                    if (clazz == null) {
+                        classLoader = Thread.currentThread().getContextClassLoader();
+                        clazz = loadClass(classLoader, fullQualifiedName);
+                    }
+                    return clazz;
+                }
+            });
+        } else {
+            ClassLoader classLoader = theClass.getClassLoader();
+
+            Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+            if (clazz == null) {
+                classLoader = Thread.currentThread().getContextClassLoader();
+                clazz = loadClass(classLoader, fullQualifiedName);
+            }
+            return clazz;
+        }
+    }
+
+    /**
+     * <p>
+     * Loads a class from the specified {@link ClassLoader} using the <code>fullQualifiedName</code> supplied.
+     * </p>
+     *
+     * @param classLoader
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final ClassLoader classLoader, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    try {
+                        return classLoader.loadClass(fullQualifiedName);
+                    } catch (ClassNotFoundException e) {
+                    }
+                    return null;
+                }
+            });
+        } else {
+            try {
+                return classLoader.loadClass(fullQualifiedName);
+            } catch (ClassNotFoundException e) {
+            }
+            return null;
+        }
+    }
+
+    /**
+     * <p>Returns a system property value using the specified <code>key</code>. If not found the
+     * <code>defaultValue</code> will be returned.</p>
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static String getSystemProperty(final String key, final String defaultValue) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<String>() {
+                public String run() {
+                    return System.getProperty(key, defaultValue);
+                }
+            });
+        } else {
+            return System.getProperty(key, defaultValue);
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java
new file mode 100755
index 0000000000..cb86c1932c
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/saml/v2/sig/SAML2Signature.java
@@ -0,0 +1,358 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.api.saml.v2.sig;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
+import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
+import org.keycloak.saml.processing.core.util.SignatureUtilTransferObject;
+import org.keycloak.saml.processing.core.util.XMLSignatureUtil;
+import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
+
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactoryConfigurationError;
+import javax.xml.xpath.XPathException;
+import java.io.IOException;
+import java.security.GeneralSecurityException;
+import java.security.KeyPair;
+import java.security.PublicKey;
+import java.security.cert.X509Certificate;
+
+/**
+ * Class that deals with SAML2 Signature
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @author alessio.soldano@jboss.com
+ * @since May 26, 2009
+ */
+public class SAML2Signature {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private static final String ID_ATTRIBUTE_NAME = "ID";
+
+    private String signatureMethod = SignatureMethod.RSA_SHA1;
+
+    private String digestMethod = DigestMethod.SHA1;
+
+    private Node sibling;
+
+    /**
+     * Set the X509Certificate if X509Data is needed in signed info
+     */
+    private X509Certificate x509Certificate;
+
+    public String getSignatureMethod() {
+        return signatureMethod;
+    }
+
+    public void setSignatureMethod(String signatureMethod) {
+        this.signatureMethod = signatureMethod;
+    }
+
+    public String getDigestMethod() {
+        return digestMethod;
+    }
+
+    public void setDigestMethod(String digestMethod) {
+        this.digestMethod = digestMethod;
+    }
+
+    public void setNextSibling(Node sibling) {
+        this.sibling = sibling;
+    }
+
+    /**
+     * Set to false, if you do not want to include keyinfo in the signature
+     *
+     * @param val
+     *
+     * @since v2.0.1
+     */
+    public void setSignatureIncludeKeyInfo(boolean val) {
+        if (!val) {
+            XMLSignatureUtil.setIncludeKeyInfoInSignature(false);
+        }
+    }
+
+    /**
+     * Set the {@link X509Certificate} if you desire
+     * to have the SignedInfo have X509 Data
+     *
+     * This method needs to be called before any of the sign methods.
+     *
+     * @param x509Certificate
+     *
+     * @since v2.5.0
+     */
+    public void setX509Certificate(X509Certificate x509Certificate) {
+        this.x509Certificate = x509Certificate;
+    }
+
+    /**
+     * Sign an RequestType at the root
+     *
+     * @param request
+     * @param keypair Key Pair
+     * @param digestMethod (Example: DigestMethod.SHA1)
+     * @param signatureMethod (Example: SignatureMethod.DSA_SHA1)
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     * @throws IOException
+     * @throws SAXException
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     * @throws GeneralSecurityException
+     */
+    public Document sign(RequestAbstractType request, KeyPair keypair) throws SAXException, IOException,
+            ParserConfigurationException, GeneralSecurityException, MarshalException, XMLSignatureException {
+        SAML2Request saml2Request = new SAML2Request();
+        Document doc = saml2Request.convert(request);
+        doc.normalize();
+
+        Node theSibling = getNextSiblingOfIssuer(doc);
+        if (theSibling != null) {
+            this.sibling = theSibling;
+        }
+
+        return sign(doc, request.getID(), keypair);
+    }
+
+    /**
+     * Sign an ResponseType at the root
+     *
+     * @param response
+     * @param keypair Key Pair
+     * @param digestMethod (Example: DigestMethod.SHA1)
+     * @param signatureMethod (Example: SignatureMethod.DSA_SHA1)
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     * @throws GeneralSecurityException
+     */
+    public Document sign(ResponseType response, KeyPair keypair) throws ParserConfigurationException, GeneralSecurityException,
+            MarshalException, XMLSignatureException {
+        SAML2Response saml2Request = new SAML2Response();
+        Document doc = saml2Request.convert(response);
+        doc.normalize();
+
+        Node theSibling = getNextSiblingOfIssuer(doc);
+        if (theSibling != null) {
+            this.sibling = theSibling;
+        }
+
+        return sign(doc, response.getID(), keypair);
+    }
+
+    /**
+     * Sign an Document at the root
+     *
+     * @param response
+     * @param keyPair Key Pair
+     * @param digestMethod (Example: DigestMethod.SHA1)
+     * @param signatureMethod (Example: SignatureMethod.DSA_SHA1)
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     * @throws GeneralSecurityException
+     */
+    public Document sign(Document doc, String referenceID, KeyPair keyPair) throws ParserConfigurationException,
+            GeneralSecurityException, MarshalException, XMLSignatureException {
+        String referenceURI = "#" + referenceID;
+
+        configureIdAttribute(doc);
+
+        if (sibling != null) {
+            SignatureUtilTransferObject dto = new SignatureUtilTransferObject();
+            dto.setDocumentToBeSigned(doc);
+            dto.setKeyPair(keyPair);
+            dto.setDigestMethod(digestMethod);
+            dto.setSignatureMethod(signatureMethod);
+            dto.setReferenceURI(referenceURI);
+            dto.setNextSibling(sibling);
+
+            if (x509Certificate != null) {
+                dto.setX509Certificate(x509Certificate);
+            }
+
+            return XMLSignatureUtil.sign(dto);
+        }
+        return XMLSignatureUtil.sign(doc, keyPair, digestMethod, signatureMethod, referenceURI);
+    }
+
+    /**
+     * Sign an assertion whose id value is provided in the response type
+     *
+     * @param response
+     * @param idValueOfAssertion
+     * @param keypair
+     * @param referenceURI
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     * @throws TransformerException
+     * @throws TransformerFactoryConfigurationError
+     * @throws XPathException
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     * @throws GeneralSecurityException
+     */
+    public Document sign(ResponseType response, String idValueOfAssertion, KeyPair keypair, String referenceURI)
+            throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError, TransformerException,
+            GeneralSecurityException, MarshalException, XMLSignatureException {
+        SAML2Response saml2Response = new SAML2Response();
+        Document doc = saml2Response.convert(response);
+        doc.normalize();
+
+        Node theSibling = getNextSiblingOfIssuer(doc);
+        if (theSibling != null) {
+            this.sibling = theSibling;
+        }
+
+        return sign(doc, idValueOfAssertion, keypair, referenceURI);
+    }
+
+    /**
+     * Sign a document
+     *
+     * @param doc
+     * @param idValueOfAssertion
+     * @param keypair
+     * @param referenceURI
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     * @throws XPathException
+     * @throws TransformerFactoryConfigurationError
+     * @throws TransformerException
+     * @throws GeneralSecurityException
+     * @throws MarshalException
+     * @throws XMLSignatureException
+     */
+    public Document sign(Document doc, String idValueOfAssertion, KeyPair keypair, String referenceURI)
+            throws ParserConfigurationException, XPathException, TransformerFactoryConfigurationError, TransformerException,
+            GeneralSecurityException, MarshalException, XMLSignatureException {
+        return sign(doc, idValueOfAssertion, keypair);
+    }
+
+    /**
+     * Sign a SAML Document
+     *
+     * @param samlDocument
+     * @param keypair
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public void signSAMLDocument(Document samlDocument, KeyPair keypair) throws ProcessingException {
+        // Get the ID from the root
+        String id = samlDocument.getDocumentElement().getAttribute(ID_ATTRIBUTE_NAME);
+        try {
+            sign(samlDocument, id, keypair);
+        } catch (Exception e) {
+            throw new ProcessingException(logger.signatureError(e));
+        }
+    }
+
+    /**
+     * Validate the SAML2 Document
+     *
+     * @param signedDocument
+     * @param publicKey
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public boolean validate(Document signedDocument, PublicKey publicKey) throws ProcessingException {
+        try {
+            configureIdAttribute(signedDocument);
+            return XMLSignatureUtil.validate(signedDocument, publicKey);
+        } catch (MarshalException me) {
+            throw new ProcessingException(logger.signatureError(me));
+        } catch (XMLSignatureException xse) {
+            throw new ProcessingException(logger.signatureError(xse));
+        }
+    }
+
+    /**
+     * Given a {@link Document}, find the {@link Node} which is the sibling of the Issuer element
+     *
+     * @param doc
+     *
+     * @return
+     */
+    public Node getNextSiblingOfIssuer(Document doc) {
+        // Find the sibling of Issuer
+        NodeList nl = doc.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get());
+        if (nl.getLength() > 0) {
+            Node issuer = nl.item(0);
+
+            return issuer.getNextSibling();
+        }
+        return null;
+    }
+
+    /**
+     * <p>
+     * Sets the IDness of the ID attribute. Santuario 1.5.1 does not assumes IDness based on attribute names anymore.
+     * This
+     * method should be called before signing/validating a saml document.
+     * </p>
+     *
+     * @param document SAML document to have its ID attribute configured.
+     */
+    private void configureIdAttribute(Document document) {
+        // Estabilish the IDness of the ID attribute.
+        document.getDocumentElement().setIdAttribute(ID_ATTRIBUTE_NAME, true);
+
+        NodeList nodes = document.getElementsByTagNameNS(JBossSAMLURIConstants.ASSERTION_NSURI.get(),
+                JBossSAMLConstants.ASSERTION.get());
+
+        for (int i = 0; i < nodes.getLength(); i++) {
+            Node n = nodes.item(i);
+            if (n instanceof Element) {
+                ((Element) n).setIdAttribute(ID_ATTRIBUTE_NAME, true);
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/util/DeflateUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/util/DeflateUtil.java
new file mode 100755
index 0000000000..eee41bbf85
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/api/util/DeflateUtil.java
@@ -0,0 +1,80 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.api.util;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.zip.Deflater;
+import java.util.zip.DeflaterOutputStream;
+import java.util.zip.Inflater;
+import java.util.zip.InflaterInputStream;
+
+/**
+ * Encoder of saml messages based on DEFLATE compression
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 11, 2008
+ */
+public class DeflateUtil {
+
+    /**
+     * Apply DEFLATE encoding
+     *
+     * @param message
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static byte[] encode(byte[] message) throws IOException {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        Deflater deflater = new Deflater(Deflater.DEFLATED, true);
+        DeflaterOutputStream deflaterStream = new DeflaterOutputStream(baos, deflater);
+        deflaterStream.write(message);
+        deflaterStream.finish();
+
+        return baos.toByteArray();
+    }
+
+    /**
+     * Apply DEFLATE encoding
+     *
+     * @param message
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static byte[] encode(String message) throws IOException {
+        return encode(message.getBytes());
+    }
+
+    /**
+     * DEFLATE decoding
+     *
+     * @param msgToDecode the message that needs decoding
+     *
+     * @return
+     */
+    public static InputStream decode(byte[] msgToDecode) {
+        ByteArrayInputStream bais = new ByteArrayInputStream(msgToDecode);
+        return new InflaterInputStream(bais, new Inflater(true));
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/constants/AttributeConstants.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/constants/AttributeConstants.java
new file mode 100755
index 0000000000..97fe7c1814
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/constants/AttributeConstants.java
@@ -0,0 +1,34 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.constants;
+
+/**
+ * Constants for attributes
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Aug 31, 2009
+ */
+public interface AttributeConstants {
+
+    String ROLES = "roles";
+
+    /**
+     * Default identifier in the saml2 attribute statements to indicate role *
+     */
+    String ROLE_IDENTIFIER_ASSERTION = "Role";
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/constants/PicketLinkFederationConstants.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/constants/PicketLinkFederationConstants.java
new file mode 100755
index 0000000000..29d5058c12
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/constants/PicketLinkFederationConstants.java
@@ -0,0 +1,53 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.constants;
+
+/**
+ * Constants useful to the JBoss Identity Federation project
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Feb 23, 2009
+ */
+public interface PicketLinkFederationConstants {
+
+    /**
+     * Flag to indicate whether JAXB Schema Validation is turned on
+     */
+    String JAXB_SCHEMA_VALIDATION = "org.picketlink.jaxb.schema.validation";
+
+    String SCHEMA_IDFED = "schema/config/picketlink-fed.xsd";
+    String SCHEMA_IDFED_HANDLER = "schema/config/picketlink-fed-handler.xsd";
+    String DSA_SIGNATURE_ALGORITHM = "SHA1withDSA";
+    String RSA_SIGNATURE_ALGORITHM = "SHA1withRSA";
+
+    // File Based Meta data Configuration Constants
+    String SERIALIZATION_EXTENSION = ".SER";
+    String FILE_STORE_DIRECTORY = "/picketlink-store";
+    String IDP_PROPERTIES = "/identityproviders.properties";
+    String SP_PROPERTIES = "/serviceproviders.properties";
+
+    String SALT = "salt";
+    String ITERATION_COUNT = "iterationCount";
+
+    String PBE_ALGORITHM = "PBEwithMD5andDES";
+    // Prefix to indicate a particular configuration property value is masked
+    String PASS_MASK_PREFIX = "MASK-";
+
+    RuntimePermission RUNTIME_PERMISSION_CORE = new RuntimePermission("org.picketlink.core");
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11AssertionParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11AssertionParser.java
new file mode 100755
index 0000000000..a16c5119f9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11AssertionParser.java
@@ -0,0 +1,178 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.saml.processing.core.parsers.util.SAML11ParserUtil;
+import org.keycloak.saml.processing.core.saml.v1.SAML11Constants;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v1.assertion.SAML11AssertionType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AuthenticationStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AuthorizationDecisionStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectType;
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * Parse the saml assertion
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 12, 2010
+ */
+public class SAML11AssertionParser implements ParserNamespaceSupport {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private final String ASSERTION = JBossSAMLConstants.ASSERTION.get();
+
+    public SAML11AssertionType fromElement(Element element) throws ConfigurationException, ProcessingException,
+            ParsingException {
+        XMLEventReader xmlEventReader = StaxParserUtil.getXMLEventReader(DocumentUtil.getNodeAsStream(element));
+        return (SAML11AssertionType) parse(xmlEventReader);
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+
+        startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+
+        // Special case: Encrypted Assertion
+        StaxParserUtil.validate(startElement, ASSERTION);
+        SAML11AssertionType assertion = parseBaseAttributes(startElement);
+
+        Attribute issuerAttribute = startElement.getAttributeByName(new QName(SAML11Constants.ISSUER));
+        String issuer = StaxParserUtil.getAttributeValue(issuerAttribute);
+        assertion.setIssuer(issuer);
+
+        // Peek at the next event
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent == null)
+                break;
+
+            if (xmlEvent instanceof EndElement) {
+                xmlEvent = StaxParserUtil.getNextEvent(xmlEventReader);
+                EndElement endElement = (EndElement) xmlEvent;
+                String endElementTag = StaxParserUtil.getEndElementName(endElement);
+                if (endElementTag.equals(JBossSAMLConstants.ASSERTION.get()))
+                    break;
+                else
+                    throw logger.parserUnknownEndElement(endElementTag);
+            }
+
+            StartElement peekedElement = null;
+
+            if (xmlEvent instanceof StartElement) {
+                peekedElement = (StartElement) xmlEvent;
+            } else {
+                peekedElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            }
+            if (peekedElement == null)
+                break;
+
+            String tag = StaxParserUtil.getStartElementName(peekedElement);
+
+            if (tag.equals(JBossSAMLConstants.SIGNATURE.get())) {
+                assertion.setSignature(StaxParserUtil.getDOMElement(xmlEventReader));
+            } else if (JBossSAMLConstants.ISSUER.get().equalsIgnoreCase(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                issuer = StaxParserUtil.getElementText(xmlEventReader);
+
+                assertion.setIssuer(issuer);
+            } else if (JBossSAMLConstants.SUBJECT.get().equalsIgnoreCase(tag)) {
+                SAML11SubjectParser subjectParser = new SAML11SubjectParser();
+                SAML11SubjectType subject = (SAML11SubjectType) subjectParser.parse(xmlEventReader);
+                SAML11SubjectStatementType subStat = new SAML11SubjectStatementType();
+                subStat.setSubject(subject);
+            } else if (JBossSAMLConstants.CONDITIONS.get().equalsIgnoreCase(tag)) {
+                startElement = (StartElement) xmlEvent;
+
+                SAML11ConditionsType conditions = SAML11ParserUtil.parseSAML11Conditions(xmlEventReader);
+                assertion.setConditions(conditions);
+            } else if (SAML11Constants.AUTHENTICATION_STATEMENT.equals(tag)) {
+                startElement = (StartElement) xmlEvent;
+                SAML11AuthenticationStatementType authStat = SAML11ParserUtil.parseAuthenticationStatement(xmlEventReader);
+                assertion.add(authStat);
+            } else if (SAML11Constants.ATTRIBUTE_STATEMENT.equalsIgnoreCase(tag)) {
+                SAML11AttributeStatementType attributeStatementType = SAML11ParserUtil
+                        .parseSAML11AttributeStatement(xmlEventReader);
+                assertion.add(attributeStatementType);
+            } else if (SAML11Constants.AUTHORIZATION_DECISION_STATEMENT.equalsIgnoreCase(tag)) {
+                SAML11AuthorizationDecisionStatementType authzStat = SAML11ParserUtil
+                        .parseSAML11AuthorizationDecisionStatement(xmlEventReader);
+                assertion.add(authzStat);
+            } else
+                throw logger.parserUnknownTag(tag, peekedElement.getLocation());
+        }
+        return assertion;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        String nsURI = qname.getNamespaceURI();
+        String localPart = qname.getLocalPart();
+
+        return nsURI.equals(JBossSAMLURIConstants.ASSERTION_NSURI.get())
+                && localPart.equals(JBossSAMLConstants.ASSERTION.get());
+    }
+
+    private SAML11AssertionType parseBaseAttributes(StartElement nextElement) throws ParsingException {
+        Attribute idAttribute = nextElement.getAttributeByName(new QName(SAML11Constants.ASSERTIONID));
+        if (idAttribute == null)
+            throw logger.parserRequiredAttribute("AssertionID");
+        String id = StaxParserUtil.getAttributeValue(idAttribute);
+
+        Attribute majVersionAttribute = nextElement.getAttributeByName(new QName(SAML11Constants.MAJOR_VERSION));
+        String majVersion = StaxParserUtil.getAttributeValue(majVersionAttribute);
+        StringUtil.match("1", majVersion);
+
+        Attribute minVersionAttribute = nextElement.getAttributeByName(new QName(SAML11Constants.MINOR_VERSION));
+        String minVersion = StaxParserUtil.getAttributeValue(minVersionAttribute);
+        StringUtil.match("1", minVersion);
+
+        Attribute issueInstantAttribute = nextElement.getAttributeByName(new QName(JBossSAMLConstants.ISSUE_INSTANT.get()));
+        XMLGregorianCalendar issueInstant = XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(issueInstantAttribute));
+
+        return new SAML11AssertionType(id, issueInstant);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11RequestParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11RequestParser.java
new file mode 100755
index 0000000000..6abf6c6cb8
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11RequestParser.java
@@ -0,0 +1,116 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.parsers.util.SAML11ParserUtil;
+import org.keycloak.saml.processing.core.saml.v1.SAML11Constants;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v1.protocol.SAML11AttributeQueryType;
+import org.keycloak.dom.saml.v1.protocol.SAML11AuthenticationQueryType;
+import org.keycloak.dom.saml.v1.protocol.SAML11AuthorizationDecisionQueryType;
+import org.keycloak.dom.saml.v1.protocol.SAML11RequestType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.StartElement;
+
+/**
+ * Parse the SAML2 AuthnRequest
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since June 24, 2011
+ */
+public class SAML11RequestParser implements ParserNamespaceSupport {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    protected SAML11RequestType parseRequiredAttributes(StartElement startElement) throws ParsingException {
+        Attribute idAttr = startElement.getAttributeByName(new QName(SAML11Constants.REQUEST_ID));
+        if (idAttr == null)
+            throw logger.parserRequiredAttribute(SAML11Constants.REQUEST_ID);
+
+        String id = StaxParserUtil.getAttributeValue(idAttr);
+
+        Attribute issueInstantAttr = startElement.getAttributeByName(new QName(SAML11Constants.ISSUE_INSTANT));
+        if (issueInstantAttr == null)
+            throw logger.parserRequiredAttribute(SAML11Constants.ISSUE_INSTANT);
+        XMLGregorianCalendar issueInstant = XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(issueInstantAttr));
+        return new SAML11RequestType(id, issueInstant);
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the startelement
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, SAML11Constants.REQUEST);
+
+        SAML11RequestType request = parseRequiredAttributes(startElement);
+
+        while (xmlEventReader.hasNext()) {
+            // Let us peek at the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+
+            String elementName = StaxParserUtil.getStartElementName(startElement);
+
+            if (SAML11Constants.ATTRIBUTE_QUERY.equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                SAML11AttributeQueryType query = SAML11ParserUtil.parseSAML11AttributeQuery(xmlEventReader);
+                request.setQuery(query);
+            } else if (SAML11Constants.AUTHENTICATION_QUERY.equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                SAML11AuthenticationQueryType query = SAML11ParserUtil.parseSAML11AuthenticationQuery(xmlEventReader);
+                request.setQuery(query);
+            } else if (SAML11Constants.ASSERTION_ARTIFACT.equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                request.addAssertionArtifact(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (SAML11Constants.AUTHORIZATION_DECISION_QUERY.equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                SAML11AuthorizationDecisionQueryType query = SAML11ParserUtil
+                        .parseSAML11AuthorizationDecisionQueryType(xmlEventReader);
+                request.setQuery(query);
+            } else if (elementName.equals(JBossSAMLConstants.SIGNATURE.get())) {
+                request.setSignature(StaxParserUtil.getDOMElement(xmlEventReader));
+            } else if (SAML11Constants.ASSERTION_ID_REF.equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                request.addAssertionIDRef(StaxParserUtil.getElementText(xmlEventReader));
+            } else
+                throw logger.parserUnknownStartElement(elementName, startElement.getLocation());
+        }
+        return request;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        return JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(qname.getNamespaceURI());
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11ResponseParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11ResponseParser.java
new file mode 100755
index 0000000000..880783472f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11ResponseParser.java
@@ -0,0 +1,189 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.saml.v1.SAML11Constants;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v1.assertion.SAML11AssertionType;
+import org.keycloak.dom.saml.v1.protocol.SAML11ResponseType;
+import org.keycloak.dom.saml.v1.protocol.SAML11StatusCodeType;
+import org.keycloak.dom.saml.v1.protocol.SAML11StatusType;
+import org.keycloak.dom.saml.v2.protocol.StatusDetailType;
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * Parse the SAML 11 Response
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since 23 June 2011
+ */
+public class SAML11ResponseParser implements ParserNamespaceSupport {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private final String RESPONSE = JBossSAMLConstants.RESPONSE.get();
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the startelement
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, RESPONSE);
+
+        Attribute idAttr = startElement.getAttributeByName(new QName(SAML11Constants.RESPONSE_ID));
+        if (idAttr == null)
+            throw logger.parserRequiredAttribute(SAML11Constants.RESPONSE_ID);
+        String id = StaxParserUtil.getAttributeValue(idAttr);
+
+        Attribute issueInstant = startElement.getAttributeByName(new QName(SAML11Constants.ISSUE_INSTANT));
+        if (issueInstant == null)
+            throw logger.parserRequiredAttribute(SAML11Constants.ISSUE_INSTANT);
+        XMLGregorianCalendar issueInstantVal = XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(issueInstant));
+
+        SAML11ResponseType response = new SAML11ResponseType(id, issueInstantVal);
+
+        while (xmlEventReader.hasNext()) {
+            // Let us peek at the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            String elementName = StaxParserUtil.getStartElementName(startElement);
+            if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
+                Element sig = StaxParserUtil.getDOMElement(xmlEventReader);
+                response.setSignature(sig);
+            } else if (JBossSAMLConstants.ASSERTION.get().equals(elementName)) {
+                SAML11AssertionParser assertionParser = new SAML11AssertionParser();
+                response.add((SAML11AssertionType) assertionParser.parse(xmlEventReader));
+            } else if (JBossSAMLConstants.STATUS.get().equals(elementName)) {
+                response.setStatus(parseStatus(xmlEventReader));
+            } else
+                throw logger.parserUnknownStartElement(elementName, startElement.getLocation());
+        }
+
+        return response;
+    }
+
+    /**
+     * Parse the status element
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    protected SAML11StatusType parseStatus(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the Start Element
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        String STATUS = JBossSAMLConstants.STATUS.get();
+        StaxParserUtil.validate(startElement, STATUS);
+
+        SAML11StatusType status = new SAML11StatusType();
+
+        while (xmlEventReader.hasNext()) {
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+
+            if (startElement == null)
+                break;
+
+            QName startElementName = startElement.getName();
+            String elementTag = startElementName.getLocalPart();
+
+            SAML11StatusCodeType statusCode = null;
+
+            if (JBossSAMLConstants.STATUS_CODE.get().equals(elementTag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                if (startElement == null)
+                    break;
+                Attribute valueAttr = startElement.getAttributeByName(new QName("Value"));
+                if (valueAttr != null) {
+                    statusCode = new SAML11StatusCodeType(new QName(StaxParserUtil.getAttributeValue(valueAttr)));
+                }
+                status.setStatusCode(statusCode);
+
+                // Peek at the next start element to see if it is status code
+                startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+                elementTag = startElement.getName().getLocalPart();
+                if (JBossSAMLConstants.STATUS_CODE.get().equals(elementTag)) {
+                    SAML11StatusCodeType subStatusCodeType = null;
+                    startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                    Attribute subValueAttr = startElement.getAttributeByName(new QName("Value"));
+                    if (subValueAttr != null) {
+                        subStatusCodeType = new SAML11StatusCodeType(new QName(StaxParserUtil.getAttributeValue(subValueAttr)));
+                    }
+                    statusCode.setStatusCode(subStatusCodeType);
+
+                    // Go to Status code end element.
+                    EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    StaxParserUtil.validate(endElement, JBossSAMLConstants.STATUS_CODE.get());
+                    continue;
+                }
+            }
+            if (JBossSAMLConstants.STATUS_MESSAGE.get().equals(elementTag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                if (startElement == null)
+                    break;
+                status.setStatusMessage(StaxParserUtil.getElementText(xmlEventReader));
+            }
+
+            if (JBossSAMLConstants.STATUS_DETAIL.get().equals(elementTag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                if (startElement == null)
+                    break;
+                Element domElement = StaxParserUtil.getDOMElement(xmlEventReader);
+                StatusDetailType statusDetailType = new StatusDetailType();
+                statusDetailType.addStatusDetail(domElement);
+                status.setStatusDetail(statusDetailType);
+            }
+
+            // Get the next end element
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                if (StaxParserUtil.matches(endElement, STATUS))
+                    break;
+                else
+                    throw logger.parserUnknownEndElement(StaxParserUtil.getEndElementName(endElement));
+            } else
+                break;
+        }
+        return status;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        return SAML11Constants.PROTOCOL_11_NSURI.equals(qname.getNamespaceURI()) && RESPONSE.equals(qname.getLocalPart());
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11SubjectParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11SubjectParser.java
new file mode 100755
index 0000000000..be38ea8072
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAML11SubjectParser.java
@@ -0,0 +1,114 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.parsers.util.SAML11ParserUtil;
+import org.keycloak.saml.processing.core.saml.v1.SAML11Constants;
+import org.keycloak.dom.saml.v1.assertion.SAML11NameIdentifierType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectConfirmationType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectType.SAML11SubjectTypeChoice;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+import java.net.URI;
+
+/**
+ * Parse the saml subject
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 12, 2010
+ */
+public class SAML11SubjectParser implements ParserNamespaceSupport {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        StaxParserUtil.getNextEvent(xmlEventReader);
+
+        SAML11SubjectType subject = new SAML11SubjectType();
+
+        // Peek at the next event
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = (EndElement) xmlEvent;
+                if (StaxParserUtil.matches(endElement, JBossSAMLConstants.SUBJECT.get())) {
+                    endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    break;
+                } else
+                    throw logger.parserUnknownEndElement(StaxParserUtil.getEndElementName(endElement));
+            }
+
+            StartElement peekedElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (peekedElement == null)
+                break;
+
+            String tag = StaxParserUtil.getStartElementName(peekedElement);
+
+            if (SAML11Constants.NAME_IDENTIFIER.equalsIgnoreCase(tag)) {
+                peekedElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                String val = StaxParserUtil.getElementText(xmlEventReader);
+                SAML11NameIdentifierType nameID = new SAML11NameIdentifierType(val);
+                Attribute formatAtt = peekedElement.getAttributeByName(new QName(SAML11Constants.FORMAT));
+                if (formatAtt != null) {
+                    nameID.setFormat(URI.create(StaxParserUtil.getAttributeValue(formatAtt)));
+                }
+
+                Attribute nameQAtt = peekedElement.getAttributeByName(new QName(SAML11Constants.NAME_QUALIFIER));
+                if (nameQAtt != null) {
+                    nameID.setNameQualifier(StaxParserUtil.getAttributeValue(nameQAtt));
+                }
+
+                SAML11SubjectTypeChoice subChoice = new SAML11SubjectTypeChoice(nameID);
+                subject.setChoice(subChoice);
+            } else if (JBossSAMLConstants.SUBJECT_CONFIRMATION.get().equalsIgnoreCase(tag)) {
+                SAML11SubjectConfirmationType subjectConfirmationType = SAML11ParserUtil
+                        .parseSAML11SubjectConfirmation(xmlEventReader);
+                subject.setSubjectConfirmation(subjectConfirmationType);
+            } else
+                throw logger.parserUnknownTag(tag, peekedElement.getLocation());
+        }
+        return subject;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        String nsURI = qname.getNamespaceURI();
+        String localPart = qname.getLocalPart();
+
+        return nsURI.equals(JBossSAMLURIConstants.ASSERTION_NSURI.get()) && localPart.equals(JBossSAMLConstants.SUBJECT.get());
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLArtifactResolveParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLArtifactResolveParser.java
new file mode 100755
index 0000000000..47ed7828e6
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLArtifactResolveParser.java
@@ -0,0 +1,90 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.dom.saml.v2.protocol.ArtifactResolveType;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.StartElement;
+
+/**
+ * Parse the {@link ArtifactResolveType}
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jul 1, 2011
+ */
+public class SAMLArtifactResolveParser extends SAMLRequestAbstractParser implements ParserNamespaceSupport {
+
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the startelement
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ARTIFACT_RESOLVE.get());
+
+        ArtifactResolveType artifactResolve = parseBaseAttributes(startElement);
+
+        while (xmlEventReader.hasNext()) {
+            // Let us peek at the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            super.parseCommonElements(startElement, xmlEventReader, artifactResolve);
+            String elementName = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.ARTIFACT.get().equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                artifactResolve.setArtifact(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.ISSUER.get().equals(elementName)) {
+                continue;
+            } else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
+                continue;
+            } else
+                throw new RuntimeException(ErrorCodes.UNKNOWN_START_ELEMENT + elementName + "::location="
+                        + startElement.getLocation());
+        }
+        return artifactResolve;
+    }
+
+    public boolean supports(QName qname) {
+        return JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(qname.getNamespaceURI());
+    }
+
+    /**
+     * Parse the attributes at the authnrequesttype element
+     *
+     * @param startElement
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    private ArtifactResolveType parseBaseAttributes(StartElement startElement) throws ParsingException {
+        super.parseRequiredAttributes(startElement);
+        ArtifactResolveType authnRequest = new ArtifactResolveType(id, issueInstant);
+        // Let us get the attributes
+        super.parseBaseAttributes(startElement, authnRequest);
+
+        return authnRequest;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLArtifactResponseParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLArtifactResponseParser.java
new file mode 100755
index 0000000000..8c28b7790d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLArtifactResponseParser.java
@@ -0,0 +1,111 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.ArtifactResponseType;
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.StartElement;
+
+/**
+ * Parse the SAML Response
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since July 1, 2011
+ */
+public class SAMLArtifactResponseParser extends SAMLStatusResponseTypeParser implements ParserNamespaceSupport {
+
+    private final String ARTIFACT_RESPONSE = JBossSAMLConstants.ARTIFACT_RESPONSE.get();
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the startelement
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, ARTIFACT_RESPONSE);
+
+        ArtifactResponseType response = (ArtifactResponseType) parseBaseAttributes(startElement);
+
+        while (xmlEventReader.hasNext()) {
+            // Let us peek at the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            String elementName = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.ISSUER.get().equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                NameIDType issuer = new NameIDType();
+                issuer.setValue(StaxParserUtil.getElementText(xmlEventReader));
+                response.setIssuer(issuer);
+            } else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
+                Element sig = StaxParserUtil.getDOMElement(xmlEventReader);
+                response.setSignature(sig);
+            } else if (JBossSAMLConstants.AUTHN_REQUEST.get().equals(elementName)) {
+                SAMLAuthNRequestParser authnParser = new SAMLAuthNRequestParser();
+                AuthnRequestType authn = (AuthnRequestType) authnParser.parse(xmlEventReader);
+                response.setAny(authn);
+            } else if (JBossSAMLConstants.RESPONSE.get().equals(elementName)) {
+                SAMLResponseParser authnParser = new SAMLResponseParser();
+                ResponseType authn = (ResponseType) authnParser.parse(xmlEventReader);
+                response.setAny(authn);
+            } else if (JBossSAMLConstants.STATUS.get().equals(elementName)) {
+                response.setStatus(parseStatus(xmlEventReader));
+            } else
+                throw new RuntimeException(ErrorCodes.UNKNOWN_START_ELEMENT + elementName + "::location="
+                        + startElement.getLocation());
+        }
+
+        return response;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        return JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(qname.getNamespaceURI())
+                && ARTIFACT_RESPONSE.equals(qname.getLocalPart());
+    }
+
+    /**
+     * Parse the attributes at the response element
+     *
+     * @param startElement
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    protected StatusResponseType parseBaseAttributes(StartElement startElement) throws ParsingException {
+        ArtifactResponseType response = new ArtifactResponseType(super.parseBaseAttributes(startElement));
+        return response;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAssertionParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAssertionParser.java
new file mode 100755
index 0000000000..8825448944
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAssertionParser.java
@@ -0,0 +1,174 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.saml.processing.core.parsers.util.SAMLParserUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * Parse the saml assertion
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 12, 2010
+ */
+public class SAMLAssertionParser implements ParserNamespaceSupport {
+
+    private final String ASSERTION = JBossSAMLConstants.ASSERTION.get();
+
+    public AssertionType fromElement(Element element) throws ConfigurationException, ProcessingException, ParsingException {
+        XMLEventReader xmlEventReader = StaxParserUtil.getXMLEventReader(DocumentUtil.getNodeAsStream(element));
+        return (AssertionType) parse(xmlEventReader);
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+        String startElementName = StaxParserUtil.getStartElementName(startElement);
+        if (startElementName.equals(JBossSAMLConstants.ENCRYPTED_ASSERTION.get())) {
+            Element domElement = StaxParserUtil.getDOMElement(xmlEventReader);
+
+            EncryptedAssertionType encryptedAssertion = new EncryptedAssertionType();
+            encryptedAssertion.setEncryptedElement(domElement);
+            return encryptedAssertion;
+        }
+
+        startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+
+        // Special case: Encrypted Assertion
+        StaxParserUtil.validate(startElement, ASSERTION);
+        AssertionType assertion = parseBaseAttributes(startElement);
+
+        // Peek at the next event
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent == null)
+                break;
+
+            if (xmlEvent instanceof EndElement) {
+                xmlEvent = StaxParserUtil.getNextEvent(xmlEventReader);
+                EndElement endElement = (EndElement) xmlEvent;
+                String endElementTag = StaxParserUtil.getEndElementName(endElement);
+                if (endElementTag.equals(JBossSAMLConstants.ASSERTION.get()))
+                    break;
+                else
+                    throw new RuntimeException(ErrorCodes.UNKNOWN_END_ELEMENT + endElementTag);
+            }
+
+            StartElement peekedElement = null;
+
+            if (xmlEvent instanceof StartElement) {
+                peekedElement = (StartElement) xmlEvent;
+            } else {
+                peekedElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            }
+            if (peekedElement == null)
+                break;
+
+            String tag = StaxParserUtil.getStartElementName(peekedElement);
+
+            if (tag.equals(JBossSAMLConstants.SIGNATURE.get())) {
+                assertion.setSignature(StaxParserUtil.getDOMElement(xmlEventReader));
+                continue;
+            }
+
+            if (JBossSAMLConstants.ISSUER.get().equalsIgnoreCase(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                String issuerValue = StaxParserUtil.getElementText(xmlEventReader);
+                NameIDType issuer = new NameIDType();
+                issuer.setValue(issuerValue);
+
+                assertion.setIssuer(issuer);
+            } else if (JBossSAMLConstants.SUBJECT.get().equalsIgnoreCase(tag)) {
+                SAMLSubjectParser subjectParser = new SAMLSubjectParser();
+                assertion.setSubject((SubjectType) subjectParser.parse(xmlEventReader));
+            } else if (JBossSAMLConstants.CONDITIONS.get().equalsIgnoreCase(tag)) {
+                SAMLConditionsParser conditionsParser = new SAMLConditionsParser();
+                ConditionsType conditions = (ConditionsType) conditionsParser.parse(xmlEventReader);
+
+                assertion.setConditions(conditions);
+            } else if (JBossSAMLConstants.AUTHN_STATEMENT.get().equalsIgnoreCase(tag)) {
+                AuthnStatementType authnStatementType = SAMLParserUtil.parseAuthnStatement(xmlEventReader);
+                assertion.addStatement(authnStatementType);
+            } else if (JBossSAMLConstants.ATTRIBUTE_STATEMENT.get().equalsIgnoreCase(tag)) {
+                AttributeStatementType attributeStatementType = SAMLParserUtil.parseAttributeStatement(xmlEventReader);
+                assertion.addStatement(attributeStatementType);
+            } else if (JBossSAMLConstants.STATEMENT.get().equalsIgnoreCase(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+
+                String xsiTypeValue = StaxParserUtil.getXSITypeValue(startElement);
+                throw new RuntimeException(ErrorCodes.UNKNOWN_XSI + xsiTypeValue);
+            } else
+                throw new RuntimeException(ErrorCodes.UNKNOWN_TAG + tag + "::location=" + peekedElement.getLocation());
+        }
+        return assertion;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        String nsURI = qname.getNamespaceURI();
+        String localPart = qname.getLocalPart();
+
+        return nsURI.equals(JBossSAMLURIConstants.ASSERTION_NSURI.get())
+                && localPart.equals(JBossSAMLConstants.ASSERTION.get());
+    }
+
+    private AssertionType parseBaseAttributes(StartElement nextElement) throws ParsingException {
+        Attribute idAttribute = nextElement.getAttributeByName(new QName(JBossSAMLConstants.ID.get()));
+        String id = StaxParserUtil.getAttributeValue(idAttribute);
+
+        Attribute versionAttribute = nextElement.getAttributeByName(new QName(JBossSAMLConstants.VERSION.get()));
+        String version = StaxParserUtil.getAttributeValue(versionAttribute);
+        StringUtil.match(JBossSAMLConstants.VERSION_2_0.get(), version);
+
+        Attribute issueInstantAttribute = nextElement.getAttributeByName(new QName(JBossSAMLConstants.ISSUE_INSTANT.get()));
+        XMLGregorianCalendar issueInstant = XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(issueInstantAttribute));
+
+        return new AssertionType(id, issueInstant);
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAttributeQueryParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAttributeQueryParser.java
new file mode 100755
index 0000000000..7c1d38c0d2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAttributeQueryParser.java
@@ -0,0 +1,92 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.parsers.util.SAMLParserUtil;
+import org.keycloak.dom.saml.v2.protocol.AttributeQueryType;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.StartElement;
+
+/**
+ * Parse the {@link org.keycloak.dom.saml.v2.protocol.ArtifactResolveType}
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jul 1, 2011
+ */
+public class SAMLAttributeQueryParser extends SAMLRequestAbstractParser implements ParserNamespaceSupport {
+
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the startelement
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ATTRIBUTE_QUERY.get());
+
+        AttributeQueryType attributeQuery = parseBaseAttributes(startElement);
+
+        while (xmlEventReader.hasNext()) {
+            // Let us peek at the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            super.parseCommonElements(startElement, xmlEventReader, attributeQuery);
+            String elementName = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.SUBJECT.get().equals(elementName)) {
+                attributeQuery.setSubject(getSubject(xmlEventReader));
+            } else if (JBossSAMLConstants.ATTRIBUTE.get().equals(elementName)) {
+                attributeQuery.add(SAMLParserUtil.parseAttribute(xmlEventReader));
+            } else if (JBossSAMLConstants.ISSUER.get().equals(elementName)) {
+                continue;
+            } else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
+                continue;
+            } else
+                throw new RuntimeException(ErrorCodes.UNKNOWN_START_ELEMENT + elementName + "::location="
+                        + startElement.getLocation());
+        }
+        return attributeQuery;
+    }
+
+    public boolean supports(QName qname) {
+        return JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(qname.getNamespaceURI());
+    }
+
+    /**
+     * Parse the attributes at the authnrequesttype element
+     *
+     * @param startElement
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    private AttributeQueryType parseBaseAttributes(StartElement startElement) throws ParsingException {
+        super.parseRequiredAttributes(startElement);
+        AttributeQueryType authnRequest = new AttributeQueryType(id, issueInstant);
+        // Let us get the attributes
+        super.parseBaseAttributes(startElement, authnRequest);
+
+        return authnRequest;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAuthNRequestParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAuthNRequestParser.java
new file mode 100755
index 0000000000..55a5cfde5b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLAuthNRequestParser.java
@@ -0,0 +1,212 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.protocol.AuthnContextComparisonType;
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
+import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
+import org.keycloak.dom.saml.v2.protocol.RequestedAuthnContextType;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+import java.net.URI;
+
+/**
+ * Parse the SAML2 AuthnRequest
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 2, 2010
+ */
+public class SAMLAuthNRequestParser extends SAMLRequestAbstractParser implements ParserNamespaceSupport {
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the startelement
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.AUTHN_REQUEST.get());
+
+        AuthnRequestType authnRequest = parseBaseAttributes(startElement);
+
+        while (xmlEventReader.hasNext()) {
+            // Let us peek at the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            super.parseCommonElements(startElement, xmlEventReader, authnRequest);
+
+            String elementName = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.NAMEID_POLICY.get().equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                authnRequest.setNameIDPolicy(getNameIDPolicy(startElement));
+            } else if (JBossSAMLConstants.SUBJECT.get().equals(elementName)) {
+                authnRequest.setSubject(getSubject(xmlEventReader));
+            } else if (JBossSAMLConstants.CONDITIONS.get().equals(elementName)) {
+                authnRequest.setConditions((ConditionsType) (new SAMLConditionsParser()).parse(xmlEventReader));
+            } else if (JBossSAMLConstants.REQUESTED_AUTHN_CONTEXT.get().equals(elementName)) {
+                authnRequest.setRequestedAuthnContext(getRequestedAuthnContextType(xmlEventReader));
+            } else if (JBossSAMLConstants.ISSUER.get().equals(elementName)) {
+                continue;
+            } else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
+                continue;
+            } else
+                throw new RuntimeException(ErrorCodes.UNKNOWN_START_ELEMENT + elementName + "::location="
+                        + startElement.getLocation());
+        }
+        return authnRequest;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        return JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(qname.getNamespaceURI());
+    }
+
+    /**
+     * Parse the attributes at the authnrequesttype element
+     *
+     * @param startElement
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    private AuthnRequestType parseBaseAttributes(StartElement startElement) throws ParsingException {
+        super.parseRequiredAttributes(startElement);
+        AuthnRequestType authnRequest = new AuthnRequestType(id, issueInstant);
+        // Let us get the attributes
+        super.parseBaseAttributes(startElement, authnRequest);
+
+        Attribute assertionConsumerServiceURL = startElement.getAttributeByName(new QName(
+                JBossSAMLConstants.ASSERTION_CONSUMER_SERVICE_URL.get()));
+        if (assertionConsumerServiceURL != null) {
+            String uri = StaxParserUtil.getAttributeValue(assertionConsumerServiceURL);
+            authnRequest.setAssertionConsumerServiceURL(URI.create(uri));
+        }
+
+        Attribute assertionConsumerServiceIndex = startElement.getAttributeByName(new QName(
+                JBossSAMLConstants.ASSERTION_CONSUMER_SERVICE_INDEX.get()));
+        if (assertionConsumerServiceIndex != null)
+            authnRequest.setAssertionConsumerServiceIndex(Integer.parseInt(StaxParserUtil
+                    .getAttributeValue(assertionConsumerServiceIndex)));
+
+        Attribute protocolBinding = startElement.getAttributeByName(new QName(JBossSAMLConstants.PROTOCOL_BINDING.get()));
+        if (protocolBinding != null)
+            authnRequest.setProtocolBinding(URI.create(StaxParserUtil.getAttributeValue(protocolBinding)));
+
+        Attribute providerName = startElement.getAttributeByName(new QName(JBossSAMLConstants.PROVIDER_NAME.get()));
+        if (providerName != null)
+            authnRequest.setProviderName(StaxParserUtil.getAttributeValue(providerName));
+
+        Attribute forceAuthn = startElement.getAttributeByName(new QName(JBossSAMLConstants.FORCE_AUTHN.get()));
+        if (forceAuthn != null) {
+            authnRequest.setForceAuthn(Boolean.parseBoolean(StaxParserUtil.getAttributeValue(forceAuthn)));
+        }
+
+        Attribute isPassive = startElement.getAttributeByName(new QName(JBossSAMLConstants.IS_PASSIVE.get()));
+        if (isPassive != null) {
+            authnRequest.setIsPassive(Boolean.parseBoolean(StaxParserUtil.getAttributeValue(isPassive)));
+        }
+
+        Attribute attributeConsumingServiceIndex = startElement.getAttributeByName(new QName(
+                JBossSAMLConstants.ATTRIBUTE_CONSUMING_SERVICE_INDEX.get()));
+        if (attributeConsumingServiceIndex != null)
+            authnRequest.setAttributeConsumingServiceIndex(Integer.parseInt(StaxParserUtil
+                    .getAttributeValue(attributeConsumingServiceIndex)));
+
+        return authnRequest;
+    }
+
+    /**
+     * Get the NameIDPolicy
+     *
+     * @param startElement
+     *
+     * @return
+     */
+    private NameIDPolicyType getNameIDPolicy(StartElement startElement) {
+        NameIDPolicyType nameIDPolicy = new NameIDPolicyType();
+        Attribute format = startElement.getAttributeByName(new QName(JBossSAMLConstants.FORMAT.get()));
+        if (format != null)
+            nameIDPolicy.setFormat(URI.create(StaxParserUtil.getAttributeValue(format)));
+
+        Attribute allowCreate = startElement.getAttributeByName(new QName(JBossSAMLConstants.ALLOW_CREATE.get()));
+        if (allowCreate != null)
+            nameIDPolicy.setAllowCreate(Boolean.parseBoolean(StaxParserUtil.getAttributeValue(allowCreate)));
+
+        return nameIDPolicy;
+    }
+
+    private RequestedAuthnContextType getRequestedAuthnContextType(XMLEventReader xmlEventReader) throws ParsingException {
+        RequestedAuthnContextType ract = new RequestedAuthnContextType();
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.REQUESTED_AUTHN_CONTEXT.get());
+
+        Attribute comparison = startElement.getAttributeByName(new QName(JBossSAMLConstants.COMPARISON.get()));
+
+        if (comparison != null) {
+            ract.setComparison(AuthnContextComparisonType.fromValue(comparison.getValue()));
+        }
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+
+            if (xmlEvent instanceof EndElement) {
+                EndElement nextEndElement = (EndElement) xmlEvent;
+                if (StaxParserUtil.matches(nextEndElement, JBossSAMLConstants.REQUESTED_AUTHN_CONTEXT.get())) {
+                    nextEndElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    break;
+                } else
+                    throw new RuntimeException(ErrorCodes.UNKNOWN_END_ELEMENT
+                            + StaxParserUtil.getEndElementName(nextEndElement));
+            }
+
+            String tag = null;
+
+            if (xmlEvent instanceof StartElement) {
+                StartElement peekedElement = (StartElement) xmlEvent;
+                tag = StaxParserUtil.getStartElementName(peekedElement);
+            }
+
+            startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+            String elName = StaxParserUtil.getStartElementName(startElement);
+
+            if (elName.equals(JBossSAMLConstants.AUTHN_CONTEXT_CLASS_REF.get())) {
+                String value = StaxParserUtil.getElementText(xmlEventReader);
+                ract.addAuthnContextClassRef(value);
+            } else
+                throw new RuntimeException(ErrorCodes.UNKNOWN_TAG + elName);
+        }
+
+        return ract;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLConditionsParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLConditionsParser.java
new file mode 100755
index 0000000000..c9d44e4308
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLConditionsParser.java
@@ -0,0 +1,174 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.assertion.OneTimeUseType;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+import java.net.URI;
+
+/**
+ * Parse the <conditions> in the saml assertion
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 14, 2010
+ */
+public class SAMLConditionsParser implements ParserNamespaceSupport {
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // We are entering this method with <conditions> as the next start element
+        // and we have to exit after seeing the </conditions> end tag
+
+        StartElement conditionsElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(conditionsElement, JBossSAMLConstants.CONDITIONS.get());
+
+        ConditionsType conditions = new ConditionsType();
+
+        String assertionNS = JBossSAMLURIConstants.ASSERTION_NSURI.get();
+
+        QName notBeforeQName = new QName("", JBossSAMLConstants.NOT_BEFORE.get());
+        QName notBeforeQNameWithNS = new QName(assertionNS, JBossSAMLConstants.NOT_BEFORE.get());
+
+        QName notAfterQName = new QName("", JBossSAMLConstants.NOT_ON_OR_AFTER.get());
+        QName notAfterQNameWithNS = new QName(assertionNS, JBossSAMLConstants.NOT_ON_OR_AFTER.get());
+
+        Attribute notBeforeAttribute = conditionsElement.getAttributeByName(notBeforeQName);
+        if (notBeforeAttribute == null)
+            notBeforeAttribute = conditionsElement.getAttributeByName(notBeforeQNameWithNS);
+
+        Attribute notAfterAttribute = conditionsElement.getAttributeByName(notAfterQName);
+        if (notAfterAttribute == null)
+            notAfterAttribute = conditionsElement.getAttributeByName(notAfterQNameWithNS);
+
+        if (notBeforeAttribute != null) {
+            String notBeforeValue = StaxParserUtil.getAttributeValue(notBeforeAttribute);
+            conditions.setNotBefore(XMLTimeUtil.parse(notBeforeValue));
+        }
+
+        if (notAfterAttribute != null) {
+            String notAfterValue = StaxParserUtil.getAttributeValue(notAfterAttribute);
+            conditions.setNotOnOrAfter(XMLTimeUtil.parse(notAfterValue));
+        }
+
+        // Let us find additional elements
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+
+            if (xmlEvent instanceof EndElement) {
+                EndElement nextEndElement = (EndElement) xmlEvent;
+                if (StaxParserUtil.matches(nextEndElement, JBossSAMLConstants.CONDITIONS.get())) {
+                    nextEndElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    break;
+                } else
+                    throw new RuntimeException(ErrorCodes.UNKNOWN_END_ELEMENT
+                            + StaxParserUtil.getEndElementName(nextEndElement));
+            }
+
+            String tag = null;
+
+            if (xmlEvent instanceof StartElement) {
+                StartElement peekedElement = (StartElement) xmlEvent;
+                tag = StaxParserUtil.getStartElementName(peekedElement);
+            }
+
+            if (JBossSAMLConstants.AUDIENCE_RESTRICTION.get().equals(tag)) {
+                AudienceRestrictionType audienceRestriction = getAudienceRestriction(xmlEventReader);
+                conditions.addCondition(audienceRestriction);
+            } else if (JBossSAMLConstants.ONE_TIME_USE.get().equals(tag)) {
+                // just parses the onetimeuse tag. until now PL has no support for onetimeuse conditions.
+                StaxParserUtil.getNextStartElement(xmlEventReader);
+                OneTimeUseType oneTimeUseCondition = new OneTimeUseType();
+                conditions.addCondition(oneTimeUseCondition);
+
+                // Get the end tag
+                EndElement endElement = (EndElement) StaxParserUtil.getNextEvent(xmlEventReader);
+                StaxParserUtil.matches(endElement, JBossSAMLConstants.ONE_TIME_USE.get());
+            } else
+                throw new RuntimeException(ErrorCodes.UNKNOWN_TAG + tag + "::location=" + xmlEvent.getLocation());
+        }
+        return conditions;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        String nsURI = qname.getNamespaceURI();
+        String localPart = qname.getLocalPart();
+
+        return nsURI.equals(JBossSAMLURIConstants.ASSERTION_NSURI.get())
+                && localPart.equals(JBossSAMLConstants.CONDITIONS.get());
+    }
+
+    /**
+     * Parse the <audiencerestriction/> element
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    private AudienceRestrictionType getAudienceRestriction(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement audienceRestElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.matches(audienceRestElement, JBossSAMLConstants.AUDIENCE_RESTRICTION.get());
+
+        AudienceRestrictionType audience = new AudienceRestrictionType();
+
+        while (xmlEventReader.hasNext()) {
+            StartElement audienceElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+            if (!StaxParserUtil.matches(audienceElement, JBossSAMLConstants.AUDIENCE.get()))
+                break;
+
+            if (!StaxParserUtil.hasTextAhead(xmlEventReader))
+                throw new ParsingException(ErrorCodes.EXPECTED_TAG + "audienceValue");
+
+            String audienceValue = StaxParserUtil.getElementText(xmlEventReader);
+            audience.addAudience(URI.create(audienceValue));
+
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = (EndElement) xmlEvent;
+                if (StaxParserUtil.matches(endElement, JBossSAMLConstants.AUDIENCE_RESTRICTION.get())) {
+                    StaxParserUtil.getNextEvent(xmlEventReader); // Just get the end element
+                    break;
+                } else
+                    throw new RuntimeException(ErrorCodes.UNKNOWN_END_ELEMENT + StaxParserUtil.getEndElementName(endElement));
+            }
+        }
+        return audience;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParser.java
new file mode 100755
index 0000000000..24c80f74eb
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLParser.java
@@ -0,0 +1,129 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.AbstractParser;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLEntitiesDescriptorParser;
+import org.keycloak.saml.processing.core.parsers.saml.metadata.SAMLEntityDescriptorParser;
+import org.keycloak.saml.processing.core.saml.v1.SAML11Constants;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * Parse SAML payload
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 12, 2010
+ */
+public class SAMLParser extends AbstractParser {
+
+    /**
+     * @see {@link org.keycloak.saml.common.parsers.ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+
+            if (xmlEvent instanceof StartElement) {
+                StartElement startElement = (StartElement) xmlEvent;
+                QName startElementName = startElement.getName();
+                String nsURI = startElementName.getNamespaceURI();
+
+                String localPart = startElementName.getLocalPart();
+
+                String elementName = StaxParserUtil.getStartElementName(startElement);
+
+                if (elementName.equalsIgnoreCase(JBossSAMLConstants.ASSERTION.get())
+                        || elementName.equals(JBossSAMLConstants.ENCRYPTED_ASSERTION.get())) {
+                    if (nsURI.equals(SAML11Constants.ASSERTION_11_NSURI)) {
+                        SAML11AssertionParser saml11AssertionParser = new SAML11AssertionParser();
+                        return saml11AssertionParser.parse(xmlEventReader);
+                    }
+                    SAMLAssertionParser assertionParser = new SAMLAssertionParser();
+                    return assertionParser.parse(xmlEventReader);
+                } else if (JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(nsURI)
+                        && JBossSAMLConstants.AUTHN_REQUEST.get().equals(startElementName.getLocalPart())) {
+                    SAMLAuthNRequestParser authNRequestParser = new SAMLAuthNRequestParser();
+                    return authNRequestParser.parse(xmlEventReader);
+                } else if (JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(nsURI)
+                        && JBossSAMLConstants.LOGOUT_REQUEST.get().equals(startElementName.getLocalPart())) {
+                    SAMLSloRequestParser sloParser = new SAMLSloRequestParser();
+                    return sloParser.parse(xmlEventReader);
+                } else if (JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(nsURI)
+                        && JBossSAMLConstants.LOGOUT_RESPONSE.get().equals(startElementName.getLocalPart())) {
+                    SAMLSloResponseParser sloParser = new SAMLSloResponseParser();
+                    return sloParser.parse(xmlEventReader);
+                } else if (JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(nsURI)
+                        && JBossSAMLConstants.RESPONSE.get().equals(startElementName.getLocalPart())) {
+                    SAMLResponseParser responseParser = new SAMLResponseParser();
+                    return responseParser.parse(xmlEventReader);
+                } else if (JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(nsURI)
+                        && JBossSAMLConstants.REQUEST_ABSTRACT.get().equals(startElementName.getLocalPart())) {
+                    String xsiTypeValue = StaxParserUtil.getXSITypeValue(startElement);
+                    throw new RuntimeException(ErrorCodes.UNKNOWN_XSI + xsiTypeValue);
+                } else if (JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(nsURI)
+                        && JBossSAMLConstants.ARTIFACT_RESOLVE.get().equals(startElementName.getLocalPart())) {
+                    SAMLArtifactResolveParser artifactResolverParser = new SAMLArtifactResolveParser();
+                    return artifactResolverParser.parse(xmlEventReader);
+                } else if (JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(nsURI)
+                        && JBossSAMLConstants.ARTIFACT_RESPONSE.get().equals(startElementName.getLocalPart())) {
+                    SAMLArtifactResponseParser responseParser = new SAMLArtifactResponseParser();
+                    return responseParser.parse(xmlEventReader);
+                } else if (JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(nsURI)
+                        && JBossSAMLConstants.ATTRIBUTE_QUERY.get().equals(startElementName.getLocalPart())) {
+                    SAMLAttributeQueryParser responseParser = new SAMLAttributeQueryParser();
+                    return responseParser.parse(xmlEventReader);
+                } else if (JBossSAMLConstants.ENTITY_DESCRIPTOR.get().equals(localPart)) {
+                    SAMLEntityDescriptorParser entityDescriptorParser = new SAMLEntityDescriptorParser();
+                    return entityDescriptorParser.parse(xmlEventReader);
+                } else if (JBossSAMLConstants.ENTITIES_DESCRIPTOR.get().equals(localPart)) {
+                    SAMLEntitiesDescriptorParser entityDescriptorParser = new SAMLEntitiesDescriptorParser();
+                    return entityDescriptorParser.parse(xmlEventReader);
+                } else if (SAML11Constants.PROTOCOL_11_NSURI.equals(nsURI)
+                        && JBossSAMLConstants.RESPONSE.get().equals(startElementName.getLocalPart())) {
+                    SAML11ResponseParser responseParser = new SAML11ResponseParser();
+                    return responseParser.parse(xmlEventReader);
+                } else if (SAML11Constants.PROTOCOL_11_NSURI.equals(nsURI)
+                        && SAML11Constants.REQUEST.equals(startElementName.getLocalPart())) {
+                    SAML11RequestParser reqParser = new SAML11RequestParser();
+                    return reqParser.parse(xmlEventReader);
+                } else
+                    throw new RuntimeException(ErrorCodes.UNKNOWN_START_ELEMENT + elementName + "::location="
+                            + startElement.getLocation());
+            } else {
+                StaxParserUtil.getNextEvent(xmlEventReader);
+            }
+        }
+        throw new RuntimeException(ErrorCodes.FAILED_PARSING + "SAML Parsing has failed");
+    }
+
+    /**
+     * @see {@link org.keycloak.saml.common.parsers.ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        return JBossSAMLURIConstants.ASSERTION_NSURI.get().equals(qname.getNamespaceURI());
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLRequestAbstractParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLRequestAbstractParser.java
new file mode 100755
index 0000000000..2c39451976
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLRequestAbstractParser.java
@@ -0,0 +1,109 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.StartElement;
+import java.net.URI;
+
+/**
+ * Base Class for SAML Request Parsing
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 2, 2010
+ */
+public abstract class SAMLRequestAbstractParser {
+
+    protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    protected String id;
+
+    protected String version;
+
+    protected XMLGregorianCalendar issueInstant;
+
+    protected void parseRequiredAttributes(StartElement startElement) throws ParsingException {
+        Attribute idAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.ID.get()));
+        if (idAttr == null)
+            throw logger.parserRequiredAttribute("ID");
+
+        id = StaxParserUtil.getAttributeValue(idAttr);
+
+        Attribute versionAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.VERSION.get()));
+        if (versionAttr == null)
+            throw logger.parserRequiredAttribute("Version");
+        version = StaxParserUtil.getAttributeValue(versionAttr);
+
+        Attribute issueInstantAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.ISSUE_INSTANT.get()));
+        if (issueInstantAttr == null)
+            throw logger.parserRequiredAttribute("IssueInstant");
+        issueInstant = XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(issueInstantAttr));
+    }
+
+    /**
+     * Parse the attributes that are common to all SAML Request Types
+     *
+     * @param startElement
+     * @param request
+     *
+     * @throws ParsingException
+     */
+    protected void parseBaseAttributes(StartElement startElement, RequestAbstractType request) throws ParsingException {
+        Attribute destinationAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.DESTINATION.get()));
+        if (destinationAttr != null)
+            request.setDestination(URI.create(StaxParserUtil.getAttributeValue(destinationAttr)));
+
+        Attribute consent = startElement.getAttributeByName(new QName(JBossSAMLConstants.CONSENT.get()));
+        if (consent != null)
+            request.setConsent(StaxParserUtil.getAttributeValue(consent));
+    }
+
+    protected void parseCommonElements(StartElement startElement, XMLEventReader xmlEventReader, RequestAbstractType request)
+            throws ParsingException {
+        if (startElement == null)
+            throw logger.parserNullStartElement();
+        String elementName = StaxParserUtil.getStartElementName(startElement);
+
+        if (JBossSAMLConstants.ISSUER.get().equals(elementName)) {
+            startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+            NameIDType issuer = new NameIDType();
+            issuer.setValue(StaxParserUtil.getElementText(xmlEventReader));
+            request.setIssuer(issuer);
+        } else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
+            request.setSignature(StaxParserUtil.getDOMElement(xmlEventReader));
+        }
+    }
+
+    protected SubjectType getSubject(XMLEventReader xmlEventReader) throws ParsingException {
+        SAMLSubjectParser subjectParser = new SAMLSubjectParser();
+        return (SubjectType) subjectParser.parse(xmlEventReader);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLResponseParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLResponseParser.java
new file mode 100755
index 0000000000..7d3c474469
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLResponseParser.java
@@ -0,0 +1,108 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType.RTChoiceType;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.StartElement;
+
+/**
+ * Parse the SAML Response
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 2, 2010
+ */
+public class SAMLResponseParser extends SAMLStatusResponseTypeParser implements ParserNamespaceSupport {
+
+    private final String RESPONSE = JBossSAMLConstants.RESPONSE.get();
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the startelement
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, RESPONSE);
+
+        ResponseType response = (ResponseType) parseBaseAttributes(startElement);
+
+        while (xmlEventReader.hasNext()) {
+            // Let us peek at the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            String elementName = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.ISSUER.get().equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                NameIDType issuer = new NameIDType();
+                issuer.setValue(StaxParserUtil.getElementText(xmlEventReader));
+                response.setIssuer(issuer);
+            } else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
+                Element sig = StaxParserUtil.getDOMElement(xmlEventReader);
+                response.setSignature(sig);
+            } else if (JBossSAMLConstants.ASSERTION.get().equals(elementName)) {
+                SAMLAssertionParser assertionParser = new SAMLAssertionParser();
+                response.addAssertion(new RTChoiceType((AssertionType) assertionParser.parse(xmlEventReader)));
+            } else if (JBossSAMLConstants.STATUS.get().equals(elementName)) {
+                response.setStatus(parseStatus(xmlEventReader));
+            } else if (JBossSAMLConstants.ENCRYPTED_ASSERTION.get().equals(elementName)) {
+                Element encryptedAssertion = StaxParserUtil.getDOMElement(xmlEventReader);
+                response.addAssertion(new RTChoiceType(new EncryptedAssertionType(encryptedAssertion)));
+            } else
+                throw logger.parserUnknownTag(elementName, startElement.getLocation());
+        }
+
+        return response;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        return JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(qname.getNamespaceURI())
+                && RESPONSE.equals(qname.getLocalPart());
+    }
+
+    /**
+     * Parse the attributes at the response element
+     *
+     * @param startElement
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ConfigurationException
+     */
+    protected StatusResponseType parseBaseAttributes(StartElement startElement) throws ParsingException {
+        ResponseType response = new ResponseType(super.parseBaseAttributes(startElement));
+        return response;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloRequestParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloRequestParser.java
new file mode 100755
index 0000000000..0f6ba8655c
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloRequestParser.java
@@ -0,0 +1,119 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.parsers.util.SAMLParserUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.StartElement;
+
+import static org.keycloak.saml.common.constants.JBossSAMLURIConstants.PROTOCOL_NSURI;
+
+/**
+ * Parse the Single Log Out requests
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 3, 2010
+ */
+public class SAMLSloRequestParser extends SAMLRequestAbstractParser implements ParserNamespaceSupport {
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the startelement
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.LOGOUT_REQUEST.get());
+
+        LogoutRequestType logoutRequest = parseBaseAttributes(startElement);
+
+        while (xmlEventReader.hasNext()) {
+            // Let us peek at the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            String elementName = StaxParserUtil.getStartElementName(startElement);
+
+            parseCommonElements(startElement, xmlEventReader, logoutRequest);
+
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            elementName = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.SESSION_INDEX.get().equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                logoutRequest.addSessionIndex(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.NAMEID.get().equals(elementName)) {
+                NameIDType nameID = SAMLParserUtil.parseNameIDType(xmlEventReader);
+                logoutRequest.setNameID(nameID);
+            } else if (JBossSAMLConstants.ISSUER.get().equals(elementName)) {
+                continue;
+            } else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
+                continue;
+            } else
+                throw logger.parserUnknownTag(elementName, startElement.getLocation());
+        }
+        return logoutRequest;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        return PROTOCOL_NSURI.get().equals(qname.getNamespaceURI()) && JBossSAMLConstants.LOGOUT_REQUEST.equals(qname.getLocalPart());
+    }
+
+    /**
+     * Parse the attributes at the log out request element
+     *
+     * @param startElement
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    private LogoutRequestType parseBaseAttributes(StartElement startElement) throws ParsingException {
+        super.parseRequiredAttributes(startElement);
+        LogoutRequestType logoutRequest = new LogoutRequestType(id, issueInstant);
+        // Let us get the attributes
+        super.parseBaseAttributes(startElement, logoutRequest);
+
+        Attribute reason = startElement.getAttributeByName(new QName(JBossSAMLConstants.REASON.get()));
+        if (reason != null)
+            logoutRequest.setReason(StaxParserUtil.getAttributeValue(reason));
+
+        Attribute notOnOrAfter = startElement.getAttributeByName(new QName(JBossSAMLConstants.NOT_ON_OR_AFTER.get()));
+        if (notOnOrAfter != null)
+            logoutRequest.setNotOnOrAfter(XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(notOnOrAfter)));
+        return logoutRequest;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloResponseParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloResponseParser.java
new file mode 100755
index 0000000000..60216f7e3f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSloResponseParser.java
@@ -0,0 +1,78 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.StartElement;
+
+import static org.keycloak.saml.common.constants.JBossSAMLConstants.LOGOUT_RESPONSE;
+
+/**
+ * Parse the SLO Response
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 3, 2010
+ */
+public class SAMLSloResponseParser extends SAMLStatusResponseTypeParser implements ParserNamespaceSupport {
+
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the startelement
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, LOGOUT_RESPONSE.get());
+
+        StatusResponseType response = parseBaseAttributes(startElement);
+
+        while (xmlEventReader.hasNext()) {
+            // Let us peek at the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            String elementName = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.ISSUER.get().equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                NameIDType issuer = new NameIDType();
+                issuer.setValue(StaxParserUtil.getElementText(xmlEventReader));
+                response.setIssuer(issuer);
+            } else if (JBossSAMLConstants.SIGNATURE.get().equals(elementName)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                StaxParserUtil.bypassElementBlock(xmlEventReader, JBossSAMLConstants.SIGNATURE.get());
+            } else if (JBossSAMLConstants.STATUS.get().equals(elementName)) {
+                response.setStatus(parseStatus(xmlEventReader));
+            }
+        }
+        return response;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        return JBossSAMLURIConstants.PROTOCOL_NSURI.get().equals(qname.getNamespaceURI())
+                && LOGOUT_RESPONSE.equals(qname.getLocalPart());
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLStatusResponseTypeParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLStatusResponseTypeParser.java
new file mode 100755
index 0000000000..ab4b88ea5a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLStatusResponseTypeParser.java
@@ -0,0 +1,187 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
+import org.keycloak.dom.saml.v2.protocol.StatusDetailType;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusType;
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+import java.net.URI;
+
+/**
+ * Base Class for all Response Type parsing for SAML2
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 2, 2010
+ */
+public abstract class SAMLStatusResponseTypeParser {
+
+    protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Parse the attributes that are common to all SAML Response Types
+     *
+     * @param startElement
+     * @param response
+     *
+     * @throws org.keycloak.saml.common.exceptions.ParsingException
+     */
+    protected StatusResponseType parseBaseAttributes(StartElement startElement) throws ParsingException {
+        Attribute idAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.ID.get()));
+        if (idAttr == null)
+            throw logger.parserRequiredAttribute("ID");
+        String id = StaxParserUtil.getAttributeValue(idAttr);
+
+        Attribute version = startElement.getAttributeByName(new QName(JBossSAMLConstants.VERSION.get()));
+        if (version == null)
+            throw logger.parserRequiredAttribute("Version");
+
+        StringUtil.match(JBossSAMLConstants.VERSION_2_0.get(), StaxParserUtil.getAttributeValue(version));
+
+        Attribute issueInstant = startElement.getAttributeByName(new QName(JBossSAMLConstants.ISSUE_INSTANT.get()));
+        if (issueInstant == null)
+            throw logger.parserRequiredAttribute("IssueInstant");
+        XMLGregorianCalendar issueInstantVal = XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(issueInstant));
+
+        StatusResponseType response = new StatusResponseType(id, issueInstantVal);
+
+        Attribute destination = startElement.getAttributeByName(new QName(JBossSAMLConstants.DESTINATION.get()));
+        if (destination != null)
+            response.setDestination(StaxParserUtil.getAttributeValue(destination));
+
+        Attribute consent = startElement.getAttributeByName(new QName(JBossSAMLConstants.CONSENT.get()));
+        if (consent != null)
+            response.setConsent(StaxParserUtil.getAttributeValue(consent));
+
+        Attribute inResponseTo = startElement.getAttributeByName(new QName(JBossSAMLConstants.IN_RESPONSE_TO.get()));
+        if (inResponseTo != null)
+            response.setInResponseTo(StaxParserUtil.getAttributeValue(inResponseTo));
+        return response;
+    }
+
+    /**
+     * Parse the status element
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    protected StatusType parseStatus(XMLEventReader xmlEventReader) throws ParsingException {
+        // Get the Start Element
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        String STATUS = JBossSAMLConstants.STATUS.get();
+        StaxParserUtil.validate(startElement, STATUS);
+
+        StatusType status = new StatusType();
+
+        while (xmlEventReader.hasNext()) {
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+
+            if (startElement == null)
+                break;
+
+            QName startElementName = startElement.getName();
+            String elementTag = startElementName.getLocalPart();
+
+            StatusCodeType statusCode = new StatusCodeType();
+
+            if (JBossSAMLConstants.STATUS_CODE.get().equals(elementTag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                if (startElement == null)
+                    break;
+                Attribute valueAttr = startElement.getAttributeByName(new QName("Value"));
+                if (valueAttr != null) {
+                    statusCode.setValue(URI.create(StaxParserUtil.getAttributeValue(valueAttr)));
+                }
+                status.setStatusCode(statusCode);
+
+                // Peek at the next start element to see if it is status code
+                startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+                if (startElement == null) {
+                    // Go to Status code end element.
+                    EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    if (endElement != null) {
+                        StaxParserUtil.validate(endElement, JBossSAMLConstants.STATUS_CODE.get());
+                    }
+                    continue;
+                }
+                elementTag = startElement.getName().getLocalPart();
+                if (JBossSAMLConstants.STATUS_CODE.get().equals(elementTag)) {
+                    StatusCodeType subStatusCodeType = new StatusCodeType();
+                    startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                    Attribute subValueAttr = startElement.getAttributeByName(new QName("Value"));
+                    if (subValueAttr != null) {
+                        subStatusCodeType.setValue(URI.create(StaxParserUtil.getAttributeValue(subValueAttr)));
+                    }
+                    statusCode.setStatusCode(subStatusCodeType);
+
+                    // Go to Status code end element.
+                    EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    StaxParserUtil.validate(endElement, JBossSAMLConstants.STATUS_CODE.get());
+                    continue;
+                }
+            }
+            if (JBossSAMLConstants.STATUS_MESSAGE.get().equals(elementTag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                if (startElement == null)
+                    break;
+                status.setStatusMessage(StaxParserUtil.getElementText(xmlEventReader));
+            }
+
+            if (JBossSAMLConstants.STATUS_DETAIL.get().equals(elementTag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                if (startElement == null)
+                    break;
+                Element domElement = StaxParserUtil.getDOMElement(xmlEventReader);
+                StatusDetailType statusDetailType = new StatusDetailType();
+                statusDetailType.addStatusDetail(domElement);
+                status.setStatusDetail(statusDetailType);
+            }
+
+            // Get the next end element
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                if (StaxParserUtil.matches(endElement, STATUS))
+                    break;
+                else
+                    throw logger.parserUnknownEndElement(StaxParserUtil.getEndElementName(endElement));
+            } else
+                break;
+        }
+        return status;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSubjectParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSubjectParser.java
new file mode 100755
index 0000000000..8d676c4a3d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/SAMLSubjectParser.java
@@ -0,0 +1,206 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.parsers.util.SAMLParserUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.EncryptedElementType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * Parse the saml subject
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 12, 2010
+ */
+public class SAMLSubjectParser implements ParserNamespaceSupport {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * @see {@link ParserNamespaceSupport#parse(XMLEventReader)}
+     */
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+        StaxParserUtil.getNextEvent(xmlEventReader);
+
+        SubjectType subject = new SubjectType();
+
+        // Peek at the next event
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = (EndElement) xmlEvent;
+                if (StaxParserUtil.matches(endElement, JBossSAMLConstants.SUBJECT.get())) {
+                    endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    break;
+                } else
+                    throw logger.parserUnknownEndElement(StaxParserUtil.getEndElementName(endElement));
+            }
+
+            StartElement peekedElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (peekedElement == null)
+                break;
+
+            String tag = StaxParserUtil.getStartElementName(peekedElement);
+
+            if (JBossSAMLConstants.NAMEID.get().equalsIgnoreCase(tag)) {
+                NameIDType nameID = SAMLParserUtil.parseNameIDType(xmlEventReader);
+                SubjectType.STSubType subType = new SubjectType.STSubType();
+                subType.addBaseID(nameID);
+                subject.setSubType(subType);
+            } else if (JBossSAMLConstants.BASEID.get().equalsIgnoreCase(tag)) {
+                throw new ParsingException(ErrorCodes.UNSUPPORTED_TYPE + JBossSAMLConstants.BASEID.get());
+            } else if (JBossSAMLConstants.ENCRYPTED_ID.get().equals(tag)) {
+                Element domElement = StaxParserUtil.getDOMElement(xmlEventReader);
+                SubjectType.STSubType subType = new SubjectType.STSubType();
+                subType.setEncryptedID(new EncryptedElementType(domElement));
+                subject.setSubType(subType);
+            } else if (JBossSAMLConstants.SUBJECT_CONFIRMATION.get().equalsIgnoreCase(tag)) {
+                StartElement subjectConfirmationElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                Attribute method = subjectConfirmationElement.getAttributeByName(new QName(JBossSAMLConstants.METHOD.get()));
+
+                SubjectConfirmationType subjectConfirmationType = new SubjectConfirmationType();
+
+                if (method != null) {
+                    subjectConfirmationType.setMethod(StaxParserUtil.getAttributeValue(method));
+                }
+
+                // There may be additional things under subject confirmation
+                xmlEvent = StaxParserUtil.peek(xmlEventReader);
+
+                while (xmlEventReader.hasNext()) {
+                    xmlEvent = StaxParserUtil.peek(xmlEventReader);
+
+                    if (xmlEvent instanceof EndElement) {
+                        EndElement endElement = (EndElement) xmlEvent;
+                        if (StaxParserUtil.matches(endElement, JBossSAMLConstants.SUBJECT_CONFIRMATION.get())) {
+                            StaxParserUtil.getNextEndElement(xmlEventReader);
+                            break;
+                        } else
+                            throw logger.parserUnknownEndElement(StaxParserUtil.getEndElementName(endElement));
+                    }
+
+                    peekedElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+
+                    if (peekedElement == null)
+                        break;
+
+                    String startTag = StaxParserUtil.getStartElementName(peekedElement);
+
+                    if (startTag.equals(JBossSAMLConstants.NAMEID.get())) {
+                        NameIDType nameID = SAMLParserUtil.parseNameIDType(xmlEventReader);
+                        subjectConfirmationType.setNameID(nameID);
+                    } else if (JBossSAMLConstants.BASEID.get().equalsIgnoreCase(tag)) {
+                        throw logger.unsupportedType(JBossSAMLConstants.BASEID.get());
+                    } else if (JBossSAMLConstants.ENCRYPTED_ID.get().equals(tag)) {
+                        Element domElement = StaxParserUtil.getDOMElement(xmlEventReader);
+                        subjectConfirmationType.setEncryptedID(new EncryptedElementType(domElement));
+                    } else if (startTag.equals(JBossSAMLConstants.SUBJECT_CONFIRMATION_DATA.get())) {
+                        SubjectConfirmationDataType subjectConfirmationData = parseSubjectConfirmationData(xmlEventReader);
+                        subjectConfirmationType.setSubjectConfirmationData(subjectConfirmationData);
+                    }
+                }
+
+                subject.addConfirmation(subjectConfirmationType);
+            } else
+                throw logger.parserUnknownTag(tag, peekedElement.getLocation());
+        }
+        return subject;
+    }
+
+    /**
+     * @see {@link ParserNamespaceSupport#supports(QName)}
+     */
+    public boolean supports(QName qname) {
+        String nsURI = qname.getNamespaceURI();
+        String localPart = qname.getLocalPart();
+
+        return nsURI.equals(JBossSAMLURIConstants.ASSERTION_NSURI.get()) && localPart.equals(JBossSAMLConstants.SUBJECT.get());
+    }
+
+    private SubjectConfirmationDataType parseSubjectConfirmationData(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.SUBJECT_CONFIRMATION_DATA.get());
+
+        SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType();
+
+        Attribute inResponseTo = startElement.getAttributeByName(new QName(JBossSAMLConstants.IN_RESPONSE_TO.get()));
+        if (inResponseTo != null) {
+            subjectConfirmationData.setInResponseTo(StaxParserUtil.getAttributeValue(inResponseTo));
+        }
+
+        Attribute notBefore = startElement.getAttributeByName(new QName(JBossSAMLConstants.NOT_BEFORE.get()));
+        if (notBefore != null) {
+            subjectConfirmationData.setNotBefore(XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(notBefore)));
+        }
+
+        Attribute notOnOrAfter = startElement.getAttributeByName(new QName(JBossSAMLConstants.NOT_ON_OR_AFTER.get()));
+        if (notOnOrAfter != null) {
+            subjectConfirmationData.setNotOnOrAfter(XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(notOnOrAfter)));
+        }
+
+        Attribute recipient = startElement.getAttributeByName(new QName(JBossSAMLConstants.RECIPIENT.get()));
+        if (recipient != null) {
+            subjectConfirmationData.setRecipient(StaxParserUtil.getAttributeValue(recipient));
+        }
+
+        Attribute address = startElement.getAttributeByName(new QName(JBossSAMLConstants.ADDRESS.get()));
+        if (address != null) {
+            subjectConfirmationData.setAddress(StaxParserUtil.getAttributeValue(address));
+        }
+
+        XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+        if (!(xmlEvent instanceof EndElement)) {
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            String tag = StaxParserUtil.getStartElementName(startElement);
+            if (tag.equals(WSTrustConstants.XMLDSig.KEYINFO)) {
+                KeyInfoType keyInfo = SAMLParserUtil.parseKeyInfo(xmlEventReader);
+                subjectConfirmationData.setAnyType(keyInfo);
+            } else if (tag.equals(WSTrustConstants.XMLEnc.ENCRYPTED_KEY)) {
+                subjectConfirmationData.setAnyType(StaxParserUtil.getDOMElement(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+
+        // Get the end tag
+        EndElement endElement = (EndElement) StaxParserUtil.getNextEvent(xmlEventReader);
+        StaxParserUtil.matches(endElement, JBossSAMLConstants.SUBJECT_CONFIRMATION_DATA.get());
+        return subjectConfirmationData;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/AbstractDescriptorParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/AbstractDescriptorParser.java
new file mode 100755
index 0000000000..bf1031c537
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/AbstractDescriptorParser.java
@@ -0,0 +1,66 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.saml.processing.core.parsers.saml.metadata;
+
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.AbstractParser;
+
+import javax.xml.stream.EventFilter;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.XMLInputFactory;
+import javax.xml.stream.XMLStreamException;
+import javax.xml.stream.events.Characters;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * <p>Abstract entity descriptor parser, which provides common parser functionality</p>
+ *
+ * @author <a href="mailto:mposolda@redhat.com">Marek Posolda</a>
+ */
+public abstract class AbstractDescriptorParser extends AbstractParser {
+
+    protected XMLEventReader filterWhiteSpaceCharacters(XMLEventReader xmlEventReader) throws ParsingException {
+
+        XMLInputFactory xmlInputFactory = getXMLInputFactory();
+
+        try {
+            xmlEventReader = xmlInputFactory.createFilteredReader(xmlEventReader, new EventFilter() {
+                public boolean accept(XMLEvent xmlEvent) {
+                    // We are going to disregard characters that are new line and whitespace
+                    if (xmlEvent.isCharacters()) {
+                        Characters chars = xmlEvent.asCharacters();
+                        String data = chars.getData();
+                        data = valid(data) ? data.trim() : null;
+                        return valid(data);
+                    } else {
+                        return xmlEvent.isStartElement() || xmlEvent.isEndElement();
+                    }
+                }
+
+                private boolean valid(String str) {
+                    return str != null && str.length() > 0;
+                }
+            });
+            return xmlEventReader;
+        } catch (XMLStreamException e) {
+            throw new ParsingException(e);
+        }
+    }
+
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntitiesDescriptorParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntitiesDescriptorParser.java
new file mode 100755
index 0000000000..ad174b3b27
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntitiesDescriptorParser.java
@@ -0,0 +1,123 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml.metadata;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.metadata.EntitiesDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.ExtensionsType;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * Parse the SAML Entities Descriptor
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 31, 2011
+ */
+public class SAMLEntitiesDescriptorParser extends AbstractDescriptorParser implements ParserNamespaceSupport {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private final String EDT = JBossSAMLConstants.ENTITIES_DESCRIPTOR.get();
+
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+
+        xmlEventReader = filterWhiteSpaceCharacters(xmlEventReader);
+
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, EDT);
+
+        EntitiesDescriptorType entitiesDescriptorType = new EntitiesDescriptorType();
+
+        // Parse the attributes
+        Attribute validUntil = startElement.getAttributeByName(new QName(JBossSAMLConstants.VALID_UNTIL.get()));
+        if (validUntil != null) {
+            String validUntilValue = StaxParserUtil.getAttributeValue(validUntil);
+            entitiesDescriptorType.setValidUntil(XMLTimeUtil.parse(validUntilValue));
+        }
+
+        Attribute id = startElement.getAttributeByName(new QName(JBossSAMLConstants.ID.get()));
+        if (id != null) {
+            entitiesDescriptorType.setID(StaxParserUtil.getAttributeValue(id));
+        }
+
+        Attribute name = startElement.getAttributeByName(new QName(JBossSAMLConstants.NAME.get()));
+        if (name != null) {
+            entitiesDescriptorType.setName(StaxParserUtil.getAttributeValue(name));
+        }
+
+        Attribute cacheDuration = startElement.getAttributeByName(new QName(JBossSAMLConstants.CACHE_DURATION.get()));
+        if (cacheDuration != null) {
+            entitiesDescriptorType
+                    .setCacheDuration(XMLTimeUtil.parseAsDuration(StaxParserUtil.getAttributeValue(cacheDuration)));
+        }
+
+        // Get the Child Elements
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                StaxParserUtil.validate((EndElement) xmlEvent, EDT);
+                StaxParserUtil.getNextEndElement(xmlEventReader);
+                break;
+            }
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.ENTITY_DESCRIPTOR.get().equals(localPart)) {
+                SAMLEntityDescriptorParser entityParser = new SAMLEntityDescriptorParser();
+                entitiesDescriptorType.addEntityDescriptor(entityParser.parse(xmlEventReader));
+            } else if (JBossSAMLConstants.EXTENSIONS.get().equalsIgnoreCase(localPart)) {
+                entitiesDescriptorType.setExtensions(parseExtensions(xmlEventReader));
+            } else if (JBossSAMLConstants.ENTITIES_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
+                SAMLEntitiesDescriptorParser parser = new SAMLEntitiesDescriptorParser();
+                entitiesDescriptorType.addEntityDescriptor(parser.parse(xmlEventReader));
+            } else if (localPart.equals(JBossSAMLConstants.SIGNATURE.get())) {
+                entitiesDescriptorType.setSignature(StaxParserUtil.getDOMElement(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(localPart, startElement.getLocation());
+        }
+        return entitiesDescriptorType;
+    }
+
+    public boolean supports(QName qname) {
+        String nsURI = qname.getNamespaceURI();
+        String localPart = qname.getLocalPart();
+
+        return nsURI.equals(JBossSAMLURIConstants.ASSERTION_NSURI.get()) && localPart.equals(EDT);
+    }
+
+    private ExtensionsType parseExtensions(XMLEventReader xmlEventReader) throws ParsingException {
+        ExtensionsType extensions = new ExtensionsType();
+        Element extElement = StaxParserUtil.getDOMElement(xmlEventReader);
+        extensions.setElement(extElement);
+        return extensions;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java
new file mode 100755
index 0000000000..f9a26edada
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/saml/metadata/SAMLEntityDescriptorParser.java
@@ -0,0 +1,679 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.saml.metadata;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.parsers.ParserNamespaceSupport;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.parsers.util.SAMLParserUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.metadata.AttributeAuthorityDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.AttributeConsumingServiceType;
+import org.keycloak.dom.saml.v2.metadata.ContactType;
+import org.keycloak.dom.saml.v2.metadata.ContactTypeType;
+import org.keycloak.dom.saml.v2.metadata.EndpointType;
+import org.keycloak.dom.saml.v2.metadata.EntityDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.ExtensionsType;
+import org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType;
+import org.keycloak.dom.saml.v2.metadata.IndexedEndpointType;
+import org.keycloak.dom.saml.v2.metadata.KeyDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.KeyTypes;
+import org.keycloak.dom.saml.v2.metadata.LocalizedNameType;
+import org.keycloak.dom.saml.v2.metadata.LocalizedURIType;
+import org.keycloak.dom.saml.v2.metadata.OrganizationType;
+import org.keycloak.dom.saml.v2.metadata.RequestedAttributeType;
+import org.keycloak.dom.saml.v2.metadata.RoleDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType;
+import org.keycloak.dom.xmlsec.w3.xmlenc.EncryptionMethodType;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+import java.math.BigInteger;
+import java.net.URI;
+import java.util.List;
+
+/**
+ * Parse the SAML Metadata element "EntityDescriptor"
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 14, 2010
+ */
+public class SAMLEntityDescriptorParser extends AbstractDescriptorParser implements ParserNamespaceSupport {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private final String EDT = JBossSAMLConstants.ENTITY_DESCRIPTOR.get();
+
+    public Object parse(XMLEventReader xmlEventReader) throws ParsingException {
+
+        xmlEventReader = filterWhiteSpaceCharacters(xmlEventReader);
+
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, EDT);
+
+        Attribute entityID = startElement.getAttributeByName(new QName(JBossSAMLConstants.ENTITY_ID.get()));
+        String entityIDValue = StaxParserUtil.getAttributeValue(entityID);
+        EntityDescriptorType entityDescriptorType = new EntityDescriptorType(entityIDValue);
+
+        Attribute validUntil = startElement.getAttributeByName(new QName(JBossSAMLConstants.VALID_UNTIL.get()));
+        if (validUntil != null) {
+            String validUntilValue = StaxParserUtil.getAttributeValue(validUntil);
+            entityDescriptorType.setValidUntil(XMLTimeUtil.parse(validUntilValue));
+        }
+
+        Attribute id = startElement.getAttributeByName(new QName(JBossSAMLConstants.ID.get()));
+        if (id != null) {
+            entityDescriptorType.setID(StaxParserUtil.getAttributeValue(id));
+        }
+
+        Attribute cacheDuration = startElement.getAttributeByName(new QName(JBossSAMLConstants.CACHE_DURATION.get()));
+        if (cacheDuration != null) {
+            entityDescriptorType.setCacheDuration(XMLTimeUtil.parseAsDuration(StaxParserUtil.getAttributeValue(cacheDuration)));
+        }
+
+        // Get the Child Elements
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                StaxParserUtil.validate((EndElement) xmlEvent, EDT);
+                StaxParserUtil.getNextEndElement(xmlEventReader);
+                break;
+            }
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.IDP_SSO_DESCRIPTOR.get().equals(localPart)) {
+                IDPSSODescriptorType idpSSO = parseIDPSSODescriptor(xmlEventReader);
+
+                EntityDescriptorType.EDTDescriptorChoiceType edtDescChoice = new EntityDescriptorType.EDTDescriptorChoiceType(idpSSO);
+                EntityDescriptorType.EDTChoiceType edtChoice = EntityDescriptorType.EDTChoiceType.oneValue(edtDescChoice);
+                entityDescriptorType.addChoiceType(edtChoice);
+            } else if (JBossSAMLConstants.SP_SSO_DESCRIPTOR.get().equals(localPart)) {
+                SPSSODescriptorType spSSO = parseSPSSODescriptor(xmlEventReader);
+
+                EntityDescriptorType.EDTDescriptorChoiceType edtDescChoice = new EntityDescriptorType.EDTDescriptorChoiceType(spSSO);
+                EntityDescriptorType.EDTChoiceType edtChoice = EntityDescriptorType.EDTChoiceType.oneValue(edtDescChoice);
+                entityDescriptorType.addChoiceType(edtChoice);
+            } else if (JBossSAMLConstants.ATTRIBUTE_AUTHORITY_DESCRIPTOR.get().equals(localPart)) {
+                AttributeAuthorityDescriptorType attrAuthority = parseAttributeAuthorityDescriptor(xmlEventReader);
+
+                EntityDescriptorType.EDTDescriptorChoiceType edtDescChoice = new EntityDescriptorType.EDTDescriptorChoiceType(attrAuthority);
+                EntityDescriptorType.EDTChoiceType edtChoice = EntityDescriptorType.EDTChoiceType.oneValue(edtDescChoice);
+                entityDescriptorType.addChoiceType(edtChoice);
+            } else if (JBossSAMLConstants.AUTHN_AUTHORITY_DESCRIPTOR.get().equals(localPart)) {
+                throw logger.unsupportedType("AuthnAuthorityDescriptor");
+            } else if (JBossSAMLConstants.AFFILIATION_DESCRIPTOR.get().equals(localPart)) {
+                throw logger.unsupportedType(" AffiliationDescriptor");
+            } else if (JBossSAMLConstants.PDP_DESCRIPTOR.get().equals(localPart)) {
+                throw logger.unsupportedType(" PDPDescriptor");
+            } else if (localPart.equals(JBossSAMLConstants.SIGNATURE.get())) {
+                entityDescriptorType.setSignature(StaxParserUtil.getDOMElement(xmlEventReader));
+            } else if (JBossSAMLConstants.ORGANIZATION.get().equals(localPart)) {
+                OrganizationType organization = parseOrganization(xmlEventReader);
+
+                entityDescriptorType.setOrganization(organization);
+            } else if (JBossSAMLConstants.CONTACT_PERSON.get().equals(localPart)) {
+                entityDescriptorType.addContactPerson(parseContactPerson(xmlEventReader));
+            } else if (JBossSAMLConstants.ADDITIONAL_METADATA_LOCATION.get().equals(localPart)) {
+                throw logger.unsupportedType("AdditionalMetadataLocation");
+            } else if (JBossSAMLConstants.EXTENSIONS.get().equalsIgnoreCase(localPart)) {
+                entityDescriptorType.setExtensions(parseExtensions(xmlEventReader));
+            } else if (JBossSAMLConstants.ROLE_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
+                RoleDescriptorType roleDescriptor = parseRoleDescriptor(xmlEventReader);
+
+                EntityDescriptorType.EDTDescriptorChoiceType edtDescChoice = new EntityDescriptorType.EDTDescriptorChoiceType(roleDescriptor);
+                EntityDescriptorType.EDTChoiceType edtChoice = EntityDescriptorType.EDTChoiceType.oneValue(edtDescChoice);
+
+                entityDescriptorType.addChoiceType(edtChoice);
+            } else
+                throw logger.parserUnknownStartElement(localPart, startElement.getLocation());
+        }
+        return entityDescriptorType;
+    }
+
+    public boolean supports(QName qname) {
+        String nsURI = qname.getNamespaceURI();
+        String localPart = qname.getLocalPart();
+
+        return nsURI.equals(JBossSAMLURIConstants.ASSERTION_NSURI.get())
+                && localPart.equals(JBossSAMLConstants.ENTITY_DESCRIPTOR.get());
+    }
+
+    private SPSSODescriptorType parseSPSSODescriptor(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.SP_SSO_DESCRIPTOR.get());
+
+        List<String> protocolEnum = SAMLParserUtil.parseProtocolEnumeration(startElement);
+        SPSSODescriptorType spSSODescriptor = new SPSSODescriptorType(protocolEnum);
+
+        Attribute wantAssertionsSigned = startElement.getAttributeByName(new QName(JBossSAMLConstants.WANT_ASSERTIONS_SIGNED
+                .get()));
+        if (wantAssertionsSigned != null) {
+            spSSODescriptor
+                    .setWantAssertionsSigned(Boolean.parseBoolean(StaxParserUtil.getAttributeValue(wantAssertionsSigned)));
+        }
+        Attribute wantAuthnSigned = startElement.getAttributeByName(new QName(JBossSAMLConstants.AUTHN_REQUESTS_SIGNED.get()));
+        if (wantAuthnSigned != null) {
+            spSSODescriptor.setAuthnRequestsSigned(Boolean.parseBoolean(StaxParserUtil.getAttributeValue(wantAuthnSigned)));
+        }
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(end, JBossSAMLConstants.SP_SSO_DESCRIPTOR.get());
+                break;
+            }
+
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.ARTIFACT_RESOLUTION_SERVICE.get().equals(localPart)) {
+                IndexedEndpointType endpoint = parseArtifactResolutionService(xmlEventReader, startElement);
+                spSSODescriptor.addArtifactResolutionService(endpoint);
+            } else if (JBossSAMLConstants.ASSERTION_CONSUMER_SERVICE.get().equals(localPart)) {
+                IndexedEndpointType endpoint = parseAssertionConsumerService(xmlEventReader, startElement);
+                spSSODescriptor.addAssertionConsumerService(endpoint);
+            } else if (JBossSAMLConstants.ATTRIBUTE_CONSUMING_SERVICE.get().equals(localPart)) {
+                AttributeConsumingServiceType attributeConsumer = parseAttributeConsumingService(xmlEventReader, startElement);
+                spSSODescriptor.addAttributeConsumerService(attributeConsumer);
+            } else if (JBossSAMLConstants.SINGLE_LOGOUT_SERVICE.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                EndpointType endpoint = getEndpointType(startElement);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.SINGLE_LOGOUT_SERVICE.get());
+
+                spSSODescriptor.addSingleLogoutService(endpoint);
+            } else if (JBossSAMLConstants.MANAGE_NAMEID_SERVICE.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                EndpointType endpoint = getEndpointType(startElement);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.MANAGE_NAMEID_SERVICE.get());
+
+                spSSODescriptor.addManageNameIDService(endpoint);
+            } else if (JBossSAMLConstants.NAMEID_FORMAT.get().equalsIgnoreCase(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                spSSODescriptor.addNameIDFormat(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.KEY_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
+                spSSODescriptor.addKeyDescriptor(parseKeyDescriptor(xmlEventReader));
+            } else if (JBossSAMLConstants.EXTENSIONS.get().equalsIgnoreCase(localPart)) {
+                spSSODescriptor.setExtensions(parseExtensions(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(localPart, startElement.getLocation());
+        }
+        return spSSODescriptor;
+    }
+
+    private IDPSSODescriptorType parseIDPSSODescriptor(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.IDP_SSO_DESCRIPTOR.get());
+
+        List<String> protocolEnum = SAMLParserUtil.parseProtocolEnumeration(startElement);
+        IDPSSODescriptorType idpSSODescriptor = new IDPSSODescriptorType(protocolEnum);
+
+        Attribute wantAuthnSigned = startElement.getAttributeByName(new QName(JBossSAMLConstants.WANT_AUTHN_REQUESTS_SIGNED
+                .get()));
+        if (wantAuthnSigned != null) {
+            idpSSODescriptor
+                    .setWantAuthnRequestsSigned(Boolean.parseBoolean(StaxParserUtil.getAttributeValue(wantAuthnSigned)));
+        }
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(end, JBossSAMLConstants.IDP_SSO_DESCRIPTOR.get());
+                break;
+            }
+
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.ARTIFACT_RESOLUTION_SERVICE.get().equals(localPart)) {
+                IndexedEndpointType endpoint = parseArtifactResolutionService(xmlEventReader, startElement);
+                idpSSODescriptor.addArtifactResolutionService(endpoint);
+            } else if (JBossSAMLConstants.ASSERTION_ID_REQUEST_SERVICE.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                EndpointType endpoint = getEndpointType(startElement);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.ASSERTION_ID_REQUEST_SERVICE.get());
+
+                idpSSODescriptor.addAssertionIDRequestService(endpoint);
+            } else if (JBossSAMLConstants.SINGLE_LOGOUT_SERVICE.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                EndpointType endpoint = getEndpointType(startElement);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.SINGLE_LOGOUT_SERVICE.get());
+
+                idpSSODescriptor.addSingleLogoutService(endpoint);
+            } else if (JBossSAMLConstants.SINGLE_SIGNON_SERVICE.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                EndpointType endpoint = getEndpointType(startElement);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.SINGLE_SIGNON_SERVICE.get());
+
+                idpSSODescriptor.addSingleSignOnService(endpoint);
+            } else if (JBossSAMLConstants.MANAGE_NAMEID_SERVICE.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                EndpointType endpoint = getEndpointType(startElement);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.MANAGE_NAMEID_SERVICE.get());
+
+                idpSSODescriptor.addManageNameIDService(endpoint);
+            } else if (JBossSAMLConstants.NAMEID_MAPPING_SERVICE.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                EndpointType endpoint = getEndpointType(startElement);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.NAMEID_MAPPING_SERVICE.get());
+
+                idpSSODescriptor.addNameIDMappingService(endpoint);
+            } else if (JBossSAMLConstants.NAMEID_FORMAT.get().equalsIgnoreCase(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                idpSSODescriptor.addNameIDFormat(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.ATTRIBUTE.get().equalsIgnoreCase(localPart)) {
+                AttributeType attribute = SAMLParserUtil.parseAttribute(xmlEventReader);
+                idpSSODescriptor.addAttribute(attribute);
+            } else if (JBossSAMLConstants.KEY_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
+                idpSSODescriptor.addKeyDescriptor(parseKeyDescriptor(xmlEventReader));
+            } else if (JBossSAMLConstants.EXTENSIONS.get().equalsIgnoreCase(localPart)) {
+                idpSSODescriptor.setExtensions(parseExtensions(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(localPart, startElement.getLocation());
+        }
+        return idpSSODescriptor;
+    }
+
+    private EndpointType getEndpointType(StartElement startElement) {
+        Attribute bindingAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.BINDING.get()));
+        String binding = StaxParserUtil.getAttributeValue(bindingAttr);
+
+        Attribute locationAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.LOCATION.get()));
+        String location = StaxParserUtil.getAttributeValue(locationAttr);
+
+        EndpointType endpoint = new IndexedEndpointType(URI.create(binding), URI.create(location));
+        Attribute responseLocation = startElement.getAttributeByName(new QName(JBossSAMLConstants.RESPONSE_LOCATION.get()));
+        if (responseLocation != null) {
+            endpoint.setResponseLocation(URI.create(StaxParserUtil.getAttributeValue(responseLocation)));
+        }
+        return endpoint;
+    }
+
+    private AttributeAuthorityDescriptorType parseAttributeAuthorityDescriptor(XMLEventReader xmlEventReader)
+            throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ATTRIBUTE_AUTHORITY_DESCRIPTOR.get());
+        List<String> protocolEnum = SAMLParserUtil.parseProtocolEnumeration(startElement);
+        AttributeAuthorityDescriptorType attributeAuthority = new AttributeAuthorityDescriptorType(protocolEnum);
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(end, JBossSAMLConstants.ATTRIBUTE_AUTHORITY_DESCRIPTOR.get());
+                break;
+            }
+
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.ATTRIBUTE_SERVICE.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                Attribute bindingAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.BINDING.get()));
+                String binding = StaxParserUtil.getAttributeValue(bindingAttr);
+
+                Attribute locationAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.LOCATION.get()));
+                String location = StaxParserUtil.getAttributeValue(locationAttr);
+
+                IndexedEndpointType endpoint = new IndexedEndpointType(URI.create(binding), URI.create(location));
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.ATTRIBUTE_SERVICE.get());
+
+                attributeAuthority.addAttributeService(endpoint);
+            } else if (JBossSAMLConstants.KEY_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
+                attributeAuthority.addKeyDescriptor(parseKeyDescriptor(xmlEventReader));
+            } else if (JBossSAMLConstants.NAMEID_FORMAT.get().equalsIgnoreCase(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                attributeAuthority.addNameIDFormat(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.EXTENSIONS.get().equalsIgnoreCase(localPart)) {
+                attributeAuthority.setExtensions(parseExtensions(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(localPart, startElement.getLocation());
+
+        }
+        return attributeAuthority;
+    }
+
+    private OrganizationType parseOrganization(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ORGANIZATION.get());
+
+        OrganizationType org = new OrganizationType();
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(end, JBossSAMLConstants.ORGANIZATION.get());
+                break;
+            }
+
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.ORGANIZATION_NAME.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                LocalizedNameType localName = getLocalizedName(xmlEventReader, startElement);
+                org.addOrganizationName(localName);
+            } else if (JBossSAMLConstants.ORGANIZATION_DISPLAY_NAME.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                LocalizedNameType localName = getLocalizedName(xmlEventReader, startElement);
+                org.addOrganizationDisplayName(localName);
+            } else if (JBossSAMLConstants.ORGANIZATION_URL.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                Attribute lang = startElement.getAttributeByName(new QName(JBossSAMLURIConstants.XML.get(), "lang"));
+                String langVal = StaxParserUtil.getAttributeValue(lang);
+                LocalizedURIType localName = new LocalizedURIType(langVal);
+                localName.setValue(URI.create(StaxParserUtil.getElementText(xmlEventReader)));
+                org.addOrganizationURL(localName);
+            } else if (JBossSAMLConstants.EXTENSIONS.get().equalsIgnoreCase(localPart)) {
+                org.setExtensions(parseExtensions(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(localPart, startElement.getLocation());
+        }
+        return org;
+    }
+
+    private KeyDescriptorType parseKeyDescriptor(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.KEY_DESCRIPTOR.get());
+
+        KeyDescriptorType keyDescriptor = new KeyDescriptorType();
+
+        String use = StaxParserUtil.getAttributeValue(startElement, "use");
+
+        if (use != null && !use.isEmpty()) {
+            keyDescriptor.setUse(KeyTypes.fromValue(use));
+        }
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(end, JBossSAMLConstants.KEY_DESCRIPTOR.get());
+                break;
+            }
+
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.KEY_INFO.get().equals(localPart)) {
+                Element key = StaxParserUtil.getDOMElement(xmlEventReader);
+                keyDescriptor.setKeyInfo(key);
+            } else if (JBossSAMLConstants.ENCRYPTION_METHOD.get().equals(localPart)) {
+                keyDescriptor.addEncryptionMethod(parseEncryptionMethod(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(localPart, startElement.getLocation());
+        }
+
+        return keyDescriptor;
+    }
+
+    private EncryptionMethodType parseEncryptionMethod(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ENCRYPTION_METHOD.get());
+        Attribute algorithm = startElement.getAttributeByName(new QName("Algorithm"));
+        EncryptionMethodType encryptionMethodType = new EncryptionMethodType(algorithm.getValue());
+
+        BigInteger keySize = null;
+        byte[] OAEPparams = null;
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(end, JBossSAMLConstants.ENCRYPTION_METHOD.get());
+                break;
+            }
+
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if ("KeySize".equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                keySize = BigInteger.valueOf(Long.valueOf(StaxParserUtil.getElementText(xmlEventReader)));
+            } else if ("OAEPparams".equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                OAEPparams = StaxParserUtil.getElementText(xmlEventReader).getBytes();
+            } else {
+                throw logger.parserUnknownTag(localPart, startElement.getLocation());
+            }
+        }
+
+        EncryptionMethodType.EncryptionMethod encryptionMethod = new EncryptionMethodType.EncryptionMethod(keySize, OAEPparams);
+
+        encryptionMethodType.setEncryptionMethod(encryptionMethod);
+
+        return encryptionMethodType;
+    }
+
+    private ContactType parseContactPerson(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.CONTACT_PERSON.get());
+
+        Attribute attr = startElement.getAttributeByName(new QName(JBossSAMLConstants.CONTACT_TYPE.get()));
+        if (attr == null)
+            throw logger.parserRequiredAttribute("contactType");
+        ContactType contactType = new ContactType(ContactTypeType.fromValue(StaxParserUtil.getAttributeValue(attr)));
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(end, JBossSAMLConstants.CONTACT_PERSON.get());
+                break;
+            }
+
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.COMPANY.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                contactType.setCompany(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.GIVEN_NAME.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                contactType.setGivenName(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.SURNAME.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                contactType.setSurName(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.EMAIL_ADDRESS.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                contactType.addEmailAddress(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.TELEPHONE_NUMBER.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                contactType.addTelephone(StaxParserUtil.getElementText(xmlEventReader));
+            } else if (JBossSAMLConstants.EXTENSIONS.get().equalsIgnoreCase(localPart)) {
+                contactType.setExtensions(parseExtensions(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(localPart, startElement.getLocation());
+        }
+        return contactType;
+    }
+
+    private LocalizedNameType getLocalizedName(XMLEventReader xmlEventReader, StartElement startElement)
+            throws ParsingException {
+        Attribute lang = startElement.getAttributeByName(new QName(JBossSAMLURIConstants.XML.get(), "lang"));
+        String langVal = StaxParserUtil.getAttributeValue(lang);
+        LocalizedNameType localName = new LocalizedNameType(langVal);
+        localName.setValue(StaxParserUtil.getElementText(xmlEventReader));
+        return localName;
+    }
+
+    private IndexedEndpointType parseAssertionConsumerService(XMLEventReader xmlEventReader, StartElement startElement)
+            throws ParsingException {
+        startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        IndexedEndpointType endpoint = parseIndexedEndpoint(xmlEventReader, startElement);
+
+        EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+        StaxParserUtil.validate(endElement, JBossSAMLConstants.ASSERTION_CONSUMER_SERVICE.get());
+
+        return endpoint;
+    }
+
+    private IndexedEndpointType parseArtifactResolutionService(XMLEventReader xmlEventReader, StartElement startElement)
+            throws ParsingException {
+        startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        IndexedEndpointType endpoint = parseIndexedEndpoint(xmlEventReader, startElement);
+
+        EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+        StaxParserUtil.validate(endElement, JBossSAMLConstants.ARTIFACT_RESOLUTION_SERVICE.get());
+
+        return endpoint;
+    }
+
+    private IndexedEndpointType parseIndexedEndpoint(XMLEventReader xmlEventReader, StartElement startElement) {
+        Attribute bindingAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.BINDING.get()));
+        String binding = StaxParserUtil.getAttributeValue(bindingAttr);
+
+        Attribute locationAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.LOCATION.get()));
+        String location = StaxParserUtil.getAttributeValue(locationAttr);
+
+        IndexedEndpointType endpoint = new IndexedEndpointType(URI.create(binding), URI.create(location));
+        Attribute isDefault = startElement.getAttributeByName(new QName(JBossSAMLConstants.ISDEFAULT.get()));
+        if (isDefault != null) {
+            endpoint.setIsDefault(Boolean.parseBoolean(StaxParserUtil.getAttributeValue(isDefault)));
+        }
+        Attribute index = startElement.getAttributeByName(new QName(JBossSAMLConstants.INDEX.get()));
+        if (index != null) {
+            endpoint.setIndex(Integer.parseInt(StaxParserUtil.getAttributeValue(index)));
+        }
+        return endpoint;
+    }
+
+    private AttributeConsumingServiceType parseAttributeConsumingService(XMLEventReader xmlEventReader,
+                                                                         StartElement startElement) throws ParsingException {
+        startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+
+        Attribute indexAttr = startElement.getAttributeByName(new QName(JBossSAMLConstants.INDEX.get()));
+        if (indexAttr == null)
+            throw logger.parserRequiredAttribute("index");
+
+        AttributeConsumingServiceType attributeConsumer = new AttributeConsumingServiceType(Integer.parseInt(StaxParserUtil
+                .getAttributeValue(indexAttr)));
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(end, JBossSAMLConstants.ATTRIBUTE_CONSUMING_SERVICE.get());
+                break;
+            }
+
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.SERVICE_NAME.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                LocalizedNameType localName = getLocalizedName(xmlEventReader, startElement);
+                attributeConsumer.addServiceName(localName);
+            } else if (JBossSAMLConstants.SERVICE_DESCRIPTION.get().equals(localPart)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                LocalizedNameType localName = getLocalizedName(xmlEventReader, startElement);
+                attributeConsumer.addServiceDescription(localName);
+            } else if (JBossSAMLConstants.REQUESTED_ATTRIBUTE.get().equals(localPart)) {
+                RequestedAttributeType attType = parseRequestedAttributeType(xmlEventReader, startElement);
+                attributeConsumer.addRequestedAttribute(attType);
+            } else
+                throw logger.parserUnknownTag(localPart, startElement.getLocation());
+        }
+
+        return attributeConsumer;
+    }
+
+    private RequestedAttributeType parseRequestedAttributeType(XMLEventReader xmlEventReader, StartElement startElement)
+            throws ParsingException {
+        startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.REQUESTED_ATTRIBUTE.get());
+        RequestedAttributeType attributeType = null;
+
+        Attribute name = startElement.getAttributeByName(new QName(JBossSAMLConstants.NAME.get()));
+        if (name == null)
+            throw logger.parserRequiredAttribute("Name");
+        attributeType = new RequestedAttributeType(StaxParserUtil.getAttributeValue(name));
+
+        Attribute isRequired = startElement.getAttributeByName(new QName(JBossSAMLConstants.IS_REQUIRED.get()));
+        if (isRequired != null) {
+            attributeType.setIsRequired(Boolean.parseBoolean(StaxParserUtil.getAttributeValue(isRequired)));
+        }
+
+        SAMLParserUtil.parseAttributeType(xmlEventReader, startElement, JBossSAMLConstants.REQUESTED_ATTRIBUTE.get(),
+                attributeType);
+        return attributeType;
+    }
+
+    private ExtensionsType parseExtensions(XMLEventReader xmlEventReader) throws ParsingException {
+        ExtensionsType extensions = new ExtensionsType();
+        Element extElement = StaxParserUtil.getDOMElement(xmlEventReader);
+        extensions.setElement(extElement);
+        return extensions;
+    }
+
+    private RoleDescriptorType parseRoleDescriptor(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ROLE_DESCRIPTOR.get());
+        List<String> protocolEnum = SAMLParserUtil.parseProtocolEnumeration(startElement);
+        RoleDescriptorType roleDescriptorType = new RoleDescriptorType(protocolEnum) {};
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(end, JBossSAMLConstants.ROLE_DESCRIPTOR.get());
+                break;
+            }
+
+            startElement = (StartElement) xmlEvent;
+            String localPart = startElement.getName().getLocalPart();
+
+            if (JBossSAMLConstants.KEY_DESCRIPTOR.get().equalsIgnoreCase(localPart)) {
+                KeyDescriptorType keyDescriptor = parseKeyDescriptor(xmlEventReader);
+                roleDescriptorType.addKeyDescriptor(keyDescriptor);
+            } else {
+                StaxParserUtil.bypassElementBlock(xmlEventReader, localPart);
+            }
+        }
+
+        return roleDescriptorType;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SAML11ParserUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SAML11ParserUtil.java
new file mode 100755
index 0000000000..30d9ce59fc
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SAML11ParserUtil.java
@@ -0,0 +1,765 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.processing.core.parsers.saml.SAML11SubjectParser;
+import org.keycloak.saml.processing.core.saml.v1.SAML11Constants;
+import org.keycloak.saml.processing.core.saml.v2.util.SignatureUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v1.assertion.SAML11ActionType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AudienceRestrictionCondition;
+import org.keycloak.dom.saml.v1.assertion.SAML11AuthenticationStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AuthorityBindingType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AuthorizationDecisionStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType;
+import org.keycloak.dom.saml.v1.assertion.SAML11DecisionType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectConfirmationType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectLocalityType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectType;
+import org.keycloak.dom.saml.v1.protocol.SAML11AttributeQueryType;
+import org.keycloak.dom.saml.v1.protocol.SAML11AuthenticationQueryType;
+import org.keycloak.dom.saml.v1.protocol.SAML11AuthorizationDecisionQueryType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.DSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.RSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.X509CertificateType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.X509DataType;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+import java.net.URI;
+
+/**
+ * Utility for parsing SAML 1.1 payload
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 23, 2011
+ */
+public class SAML11ParserUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Parse the AuthnStatement inside the assertion
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static SAML11AuthenticationStatementType parseAuthenticationStatement(XMLEventReader xmlEventReader)
+            throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+
+        StaxParserUtil.validate(startElement, SAML11Constants.AUTHENTICATION_STATEMENT);
+
+        Attribute authMethod = startElement.getAttributeByName(new QName(SAML11Constants.AUTHENTICATION_METHOD));
+        if (authMethod == null)
+            throw logger.parserRequiredAttribute(SAML11Constants.AUTHENTICATION_METHOD);
+
+        Attribute authInstant = startElement.getAttributeByName(new QName(SAML11Constants.AUTHENTICATION_INSTANT));
+        if (authInstant == null)
+            throw logger.parserRequiredAttribute(SAML11Constants.AUTHENTICATION_INSTANT);
+
+        SAML11AuthenticationStatementType authStat = new SAML11AuthenticationStatementType(URI.create(StaxParserUtil
+                .getAttributeValue(authMethod)), XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(authInstant)));
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent == null)
+                break;
+
+            if (xmlEvent instanceof EndElement) {
+                xmlEvent = StaxParserUtil.getNextEvent(xmlEventReader);
+                EndElement endElement = (EndElement) xmlEvent;
+                String endElementTag = StaxParserUtil.getEndElementName(endElement);
+                if (endElementTag.equals(SAML11Constants.AUTHENTICATION_STATEMENT))
+                    break;
+                else
+                    throw logger.parserUnknownEndElement(endElementTag);
+            }
+            startElement = null;
+
+            if (xmlEvent instanceof StartElement) {
+                startElement = (StartElement) xmlEvent;
+            } else {
+                startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            }
+            if (startElement == null)
+                break;
+
+            String tag = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.SUBJECT.get().equalsIgnoreCase(tag)) {
+                SAML11SubjectParser subjectParser = new SAML11SubjectParser();
+                SAML11SubjectType subject = (SAML11SubjectType) subjectParser.parse(xmlEventReader);
+                SAML11SubjectStatementType subStat = new SAML11SubjectStatementType();
+                subStat.setSubject(subject);
+
+                authStat.setSubject(subject);
+            } else if (JBossSAMLConstants.SUBJECT_LOCALITY.get().equals(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                SAML11SubjectLocalityType subjectLocalityType = new SAML11SubjectLocalityType();
+                Attribute address = startElement.getAttributeByName(new QName(SAML11Constants.IP_ADDRESS));
+                if (address != null) {
+                    subjectLocalityType.setIpAddress(StaxParserUtil.getAttributeValue(address));
+                }
+                Attribute dns = startElement.getAttributeByName(new QName(SAML11Constants.DNS_ADDRESS));
+                if (dns != null) {
+                    subjectLocalityType.setDnsAddress(StaxParserUtil.getAttributeValue(dns));
+                }
+                authStat.setSubjectLocality(subjectLocalityType);
+                StaxParserUtil.validate(StaxParserUtil.getNextEndElement(xmlEventReader),
+                        JBossSAMLConstants.SUBJECT_LOCALITY.get());
+            } else if (SAML11Constants.AUTHORITY_BINDING.equals(tag)) {
+                Attribute authorityKindAttr = startElement.getAttributeByName(new QName(SAML11Constants.AUTHORITY_KIND));
+                if (authorityKindAttr == null)
+                    throw logger.parserRequiredAttribute("AuthorityKind");
+
+                Attribute locationAttr = startElement.getAttributeByName(new QName(SAML11Constants.LOCATION));
+                if (locationAttr == null)
+                    throw logger.parserRequiredAttribute("Location");
+                URI location = URI.create(StaxParserUtil.getAttributeValue(locationAttr));
+
+                Attribute bindingAttr = startElement.getAttributeByName(new QName(SAML11Constants.BINDING));
+                if (bindingAttr == null)
+                    throw logger.parserRequiredAttribute("Binding");
+                URI binding = URI.create(StaxParserUtil.getAttributeValue(bindingAttr));
+
+                QName authorityKind = QName.valueOf(StaxParserUtil.getAttributeValue(authorityKindAttr));
+
+                SAML11AuthorityBindingType authorityBinding = new SAML11AuthorityBindingType(authorityKind, location, binding);
+                authStat.add(authorityBinding);
+            } else
+                throw logger.parserUnknownTag("", startElement.getLocation());
+
+        }
+
+        return authStat;
+    }
+
+    /**
+     * Parse the {@link org.keycloak.dom.saml.v1.assertion.SAML11SubjectConfirmationType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static SAML11SubjectConfirmationType parseSAML11SubjectConfirmation(XMLEventReader xmlEventReader)
+            throws ParsingException {
+        SAML11SubjectConfirmationType subjectConfirmationType = new SAML11SubjectConfirmationType();
+
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+
+        // There may be additional things under subject confirmation
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.SUBJECT_CONFIRMATION.get());
+                break;
+            }
+
+            if (xmlEvent instanceof StartElement) {
+                startElement = (StartElement) xmlEvent;
+
+                String startTag = StaxParserUtil.getStartElementName(startElement);
+
+                if (startTag.equals(SAML11Constants.CONFIRMATION_METHOD)) {
+                    startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                    String method = StaxParserUtil.getElementText(xmlEventReader);
+                    subjectConfirmationType.addConfirmationMethod(URI.create(method));
+                } else if (startTag.equals(JBossSAMLConstants.SUBJECT_CONFIRMATION_DATA.get())) {
+                    startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                    SubjectConfirmationDataType subjectConfirmationData = parseSubjectConfirmationData(xmlEventReader);
+                    subjectConfirmationType.setSubjectConfirmationData(subjectConfirmationData);
+                } else if (startTag.equals(JBossSAMLConstants.KEY_INFO.get())) {
+                    Element keyInfo = StaxParserUtil.getDOMElement(xmlEventReader);
+                    subjectConfirmationType.setKeyInfo(keyInfo);
+                } else
+                    throw logger.parserUnknownTag(startTag, startElement.getLocation());
+            }
+        }
+        return subjectConfirmationType;
+
+    }
+
+    /**
+     * Parse the {@link SubjectConfirmationDataType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static SubjectConfirmationDataType parseSubjectConfirmationData(XMLEventReader xmlEventReader)
+            throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.SUBJECT_CONFIRMATION_DATA.get());
+
+        SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType();
+
+        Attribute inResponseTo = startElement.getAttributeByName(new QName(JBossSAMLConstants.IN_RESPONSE_TO.get()));
+        if (inResponseTo != null) {
+            subjectConfirmationData.setInResponseTo(StaxParserUtil.getAttributeValue(inResponseTo));
+        }
+
+        Attribute notBefore = startElement.getAttributeByName(new QName(JBossSAMLConstants.NOT_BEFORE.get()));
+        if (notBefore != null) {
+            subjectConfirmationData.setNotBefore(XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(notBefore)));
+        }
+
+        Attribute notOnOrAfter = startElement.getAttributeByName(new QName(JBossSAMLConstants.NOT_ON_OR_AFTER.get()));
+        if (notOnOrAfter != null) {
+            subjectConfirmationData.setNotOnOrAfter(XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(notOnOrAfter)));
+        }
+
+        Attribute recipient = startElement.getAttributeByName(new QName(JBossSAMLConstants.RECIPIENT.get()));
+        if (recipient != null) {
+            subjectConfirmationData.setRecipient(StaxParserUtil.getAttributeValue(recipient));
+        }
+
+        Attribute address = startElement.getAttributeByName(new QName(JBossSAMLConstants.ADDRESS.get()));
+        if (address != null) {
+            subjectConfirmationData.setAddress(StaxParserUtil.getAttributeValue(address));
+        }
+
+        XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+        if (!(xmlEvent instanceof EndElement)) {
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            String tag = StaxParserUtil.getStartElementName(startElement);
+            if (tag.equals(WSTrustConstants.XMLDSig.KEYINFO)) {
+                KeyInfoType keyInfo = parseKeyInfo(xmlEventReader);
+                subjectConfirmationData.setAnyType(keyInfo);
+            } else if (tag.equals(WSTrustConstants.XMLEnc.ENCRYPTED_KEY)) {
+                subjectConfirmationData.setAnyType(StaxParserUtil.getDOMElement(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+
+        // Get the end tag
+        EndElement endElement = (EndElement) StaxParserUtil.getNextEvent(xmlEventReader);
+        StaxParserUtil.matches(endElement, JBossSAMLConstants.SUBJECT_CONFIRMATION_DATA.get());
+        return subjectConfirmationData;
+    }
+
+    /**
+     * Parse an {@code SAML11AttributeStatementType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static SAML11AttributeStatementType parseSAML11AttributeStatement(XMLEventReader xmlEventReader)
+            throws ParsingException {
+        SAML11AttributeStatementType attributeStatementType = new SAML11AttributeStatementType();
+
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        String ATTRIBSTATEMT = JBossSAMLConstants.ATTRIBUTE_STATEMENT.get();
+        StaxParserUtil.validate(startElement, ATTRIBSTATEMT);
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.ATTRIBUTE_STATEMENT.get());
+                break;
+            }
+            // Get the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            String tag = startElement.getName().getLocalPart();
+            if (JBossSAMLConstants.ATTRIBUTE.get().equals(tag)) {
+                SAML11AttributeType attribute = parseSAML11Attribute(xmlEventReader);
+                attributeStatementType.add(attribute);
+            } else if (JBossSAMLConstants.SUBJECT.get().equals(tag)) {
+                SAML11SubjectParser parser = new SAML11SubjectParser();
+                SAML11SubjectType subject = (SAML11SubjectType) parser.parse(xmlEventReader);
+                attributeStatementType.setSubject(subject);
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+        return attributeStatementType;
+    }
+
+    /**
+     * Parse a {@link SAML11AttributeType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static SAML11AttributeType parseSAML11Attribute(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ATTRIBUTE.get());
+        SAML11AttributeType attributeType = null;
+
+        Attribute name = startElement.getAttributeByName(new QName(SAML11Constants.ATTRIBUTE_NAME));
+        if (name == null)
+            throw logger.parserRequiredAttribute("Name");
+        String attribName = StaxParserUtil.getAttributeValue(name);
+
+        Attribute namesp = startElement.getAttributeByName(new QName(SAML11Constants.ATTRIBUTE_NAMESPACE));
+        if (namesp == null)
+            throw logger.parserRequiredAttribute("Namespace");
+        String attribNamespace = StaxParserUtil.getAttributeValue(namesp);
+
+        attributeType = new SAML11AttributeType(attribName, URI.create(attribNamespace));
+
+        attributeType.add(parseAttributeValue(xmlEventReader));
+
+        parseAttributeType(xmlEventReader, startElement, JBossSAMLConstants.ATTRIBUTE.get(), attributeType);
+        return attributeType;
+    }
+
+    /**
+     * Parse an {@code SAML11AttributeType}
+     *
+     * @param xmlEventReader
+     *
+     * @throws ParsingException
+     */
+    public static void parseAttributeType(XMLEventReader xmlEventReader, StartElement startElement, String rootTag,
+                                          SAML11AttributeType attributeType) throws ParsingException {
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                if (StaxParserUtil.matches(end, rootTag))
+                    break;
+            }
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            String tag = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.ATTRIBUTE.get().equals(tag))
+                break;
+
+            if (JBossSAMLConstants.ATTRIBUTE_VALUE.get().equals(tag)) {
+                Object attributeValue = parseAttributeValue(xmlEventReader);
+                attributeType.add(attributeValue);
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+    }
+
+    /**
+     * Parse Attribute value
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static Object parseAttributeValue(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ATTRIBUTE_VALUE.get());
+
+        Attribute type = startElement.getAttributeByName(new QName(JBossSAMLURIConstants.XSI_NSURI.get(), "type", "xsi"));
+        if (type == null) {
+            return StaxParserUtil.getElementText(xmlEventReader);
+        }
+
+        String typeValue = StaxParserUtil.getAttributeValue(type);
+        if (typeValue.contains(":string")) {
+            return StaxParserUtil.getElementText(xmlEventReader);
+        }
+
+        throw logger.parserUnknownXSI(typeValue);
+    }
+
+    public static SAML11AuthorizationDecisionStatementType parseSAML11AuthorizationDecisionStatement(
+            XMLEventReader xmlEventReader) throws ParsingException {
+        SAML11AuthorizationDecisionStatementType authzDecision = null;
+
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, SAML11Constants.AUTHORIZATION_DECISION_STATEMENT);
+
+        Attribute decision = startElement.getAttributeByName(new QName(SAML11Constants.DECISION));
+        if (decision == null)
+            throw logger.parserRequiredAttribute("Decision");
+        String decisionValue = StaxParserUtil.getAttributeValue(decision);
+
+        Attribute resource = startElement.getAttributeByName(new QName(SAML11Constants.RESOURCE));
+        if (resource == null)
+            throw logger.parserRequiredAttribute("Namespace");
+        String resValue = StaxParserUtil.getAttributeValue(resource);
+
+        authzDecision = new SAML11AuthorizationDecisionStatementType(URI.create(resValue),
+                SAML11DecisionType.valueOf(decisionValue));
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                if (StaxParserUtil.matches(end, SAML11Constants.AUTHORIZATION_DECISION_STATEMENT))
+                    break;
+            }
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            String tag = StaxParserUtil.getStartElementName(startElement);
+
+            if (SAML11Constants.ACTION.equals(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                SAML11ActionType samlAction = new SAML11ActionType();
+                Attribute namespaceAttr = startElement.getAttributeByName(new QName(SAML11Constants.NAMESPACE));
+                if (namespaceAttr != null) {
+                    samlAction.setNamespace(StaxParserUtil.getAttributeValue(namespaceAttr));
+                }
+                samlAction.setValue(StaxParserUtil.getElementText(xmlEventReader));
+
+                authzDecision.addAction(samlAction);
+            } else if (JBossSAMLConstants.SUBJECT.get().equals(tag)) {
+                SAML11SubjectParser parser = new SAML11SubjectParser();
+                authzDecision.setSubject((SAML11SubjectType) parser.parse(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+        return authzDecision;
+    }
+
+    /**
+     * Parse {@link org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static SAML11ConditionsType parseSAML11Conditions(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement;
+        SAML11ConditionsType conditions = new SAML11ConditionsType();
+        StartElement conditionsElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(conditionsElement, JBossSAMLConstants.CONDITIONS.get());
+
+        String assertionNS = SAML11Constants.ASSERTION_11_NSURI;
+
+        QName notBeforeQName = new QName("", JBossSAMLConstants.NOT_BEFORE.get());
+        QName notBeforeQNameWithNS = new QName(assertionNS, JBossSAMLConstants.NOT_BEFORE.get());
+
+        QName notAfterQName = new QName("", JBossSAMLConstants.NOT_ON_OR_AFTER.get());
+        QName notAfterQNameWithNS = new QName(assertionNS, JBossSAMLConstants.NOT_ON_OR_AFTER.get());
+
+        Attribute notBeforeAttribute = conditionsElement.getAttributeByName(notBeforeQName);
+        if (notBeforeAttribute == null)
+            notBeforeAttribute = conditionsElement.getAttributeByName(notBeforeQNameWithNS);
+
+        Attribute notAfterAttribute = conditionsElement.getAttributeByName(notAfterQName);
+        if (notAfterAttribute == null)
+            notAfterAttribute = conditionsElement.getAttributeByName(notAfterQNameWithNS);
+
+        if (notBeforeAttribute != null) {
+            String notBeforeValue = StaxParserUtil.getAttributeValue(notBeforeAttribute);
+            conditions.setNotBefore(XMLTimeUtil.parse(notBeforeValue));
+        }
+
+        if (notAfterAttribute != null) {
+            String notAfterValue = StaxParserUtil.getAttributeValue(notAfterAttribute);
+            conditions.setNotOnOrAfter(XMLTimeUtil.parse(notAfterValue));
+        }
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                if (StaxParserUtil.matches(end, JBossSAMLConstants.CONDITIONS.get()))
+                    break;
+            }
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            String tag = StaxParserUtil.getStartElementName(startElement);
+
+            if (SAML11Constants.AUDIENCE_RESTRICTION_CONDITION.equals(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                SAML11AudienceRestrictionCondition restrictCond = new SAML11AudienceRestrictionCondition();
+
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                if (StaxParserUtil.getStartElementName(startElement).equals(JBossSAMLConstants.AUDIENCE.get())) {
+                    restrictCond.add(URI.create(StaxParserUtil.getElementText(xmlEventReader)));
+                }
+                EndElement theEndElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(theEndElement, SAML11Constants.AUDIENCE_RESTRICTION_CONDITION);
+                conditions.add(restrictCond);
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+        return conditions;
+    }
+
+    public static KeyInfoType parseKeyInfo(XMLEventReader xmlEventReader) throws ParsingException {
+        KeyInfoType keyInfo = new KeyInfoType();
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, WSTrustConstants.XMLDSig.KEYINFO);
+
+        XMLEvent xmlEvent = null;
+        String tag = null;
+
+        while (xmlEventReader.hasNext()) {
+            xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                tag = StaxParserUtil.getEndElementName((EndElement) xmlEvent);
+                if (tag.equals(WSTrustConstants.XMLDSig.KEYINFO)) {
+                    xmlEvent = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    break;
+                } else
+                    throw logger.parserUnknownEndElement(tag);
+            }
+            startElement = (StartElement) xmlEvent;
+            tag = StaxParserUtil.getStartElementName(startElement);
+            if (tag.equals(WSTrustConstants.XMLEnc.ENCRYPTED_KEY)) {
+                keyInfo.addContent(StaxParserUtil.getDOMElement(xmlEventReader));
+            } else if (tag.equals(WSTrustConstants.XMLDSig.X509DATA)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                X509DataType x509 = new X509DataType();
+
+                // Let us go for the X509 certificate
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                StaxParserUtil.validate(startElement, WSTrustConstants.XMLDSig.X509CERT);
+
+                X509CertificateType cert = new X509CertificateType();
+                String certValue = StaxParserUtil.getElementText(xmlEventReader);
+                cert.setEncodedCertificate(certValue.getBytes());
+                x509.add(cert);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, WSTrustConstants.XMLDSig.X509DATA);
+                keyInfo.addContent(x509);
+            } else if (tag.equals(WSTrustConstants.XMLDSig.KEYVALUE)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                KeyValueType keyValue = null;
+
+                startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+                tag = StaxParserUtil.getStartElementName(startElement);
+                if (tag.equals(WSTrustConstants.XMLDSig.RSA_KEYVALUE)) {
+                    keyValue = parseRSAKeyValue(xmlEventReader);
+                } else if (tag.equals(WSTrustConstants.XMLDSig.DSA_KEYVALUE)) {
+                    keyValue = parseDSAKeyValue(xmlEventReader);
+                } else
+                    throw logger.parserUnknownTag(tag, startElement.getLocation());
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, WSTrustConstants.XMLDSig.KEYVALUE);
+
+                keyInfo.addContent(keyValue);
+            }
+        }
+        return keyInfo;
+    }
+
+    public static RSAKeyValueType parseRSAKeyValue(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, WSTrustConstants.XMLDSig.RSA_KEYVALUE);
+
+        XMLEvent xmlEvent = null;
+        String tag = null;
+
+        RSAKeyValueType rsaKeyValue = new RSAKeyValueType();
+
+        while (xmlEventReader.hasNext()) {
+            xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                tag = StaxParserUtil.getEndElementName((EndElement) xmlEvent);
+                if (tag.equals(WSTrustConstants.XMLDSig.RSA_KEYVALUE)) {
+                    xmlEvent = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    break;
+                } else
+                    throw logger.parserUnknownEndElement(tag);
+            }
+
+            startElement = (StartElement) xmlEvent;
+            tag = StaxParserUtil.getStartElementName(startElement);
+            if (tag.equals(WSTrustConstants.XMLDSig.MODULUS)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                String text = StaxParserUtil.getElementText(xmlEventReader);
+                rsaKeyValue.setModulus(text.getBytes());
+            } else if (tag.equals(WSTrustConstants.XMLDSig.EXPONENT)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                String text = StaxParserUtil.getElementText(xmlEventReader);
+                rsaKeyValue.setExponent(text.getBytes());
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+        return rsaKeyValue;
+    }
+
+    private static DSAKeyValueType parseDSAKeyValue(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, WSTrustConstants.XMLDSig.DSA_KEYVALUE);
+
+        Element dsaElement = StaxParserUtil.getDOMElement(xmlEventReader);
+        return SignatureUtil.getDSAKeyValue(dsaElement);
+    }
+
+    /**
+     * Parse the {@link SAML11AttributeQueryType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static SAML11AttributeQueryType parseSAML11AttributeQuery(XMLEventReader xmlEventReader) throws ParsingException {
+        SAML11AttributeQueryType query = new SAML11AttributeQueryType();
+        StartElement startElement;
+        // There may be additional things under subject confirmation
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                if (StaxParserUtil.matches(endElement, SAML11Constants.ATTRIBUTE_QUERY))
+                    break;
+                else
+                    throw logger.parserUnknownEndElement(StaxParserUtil.getEndElementName(endElement));
+            }
+
+            if (xmlEvent instanceof StartElement) {
+                startElement = (StartElement) xmlEvent;
+
+                String startTag = StaxParserUtil.getStartElementName(startElement);
+
+                if (startTag.equals(JBossSAMLConstants.SUBJECT.get())) {
+                    SAML11SubjectParser parser = new SAML11SubjectParser();
+                    query.setSubject((SAML11SubjectType) parser.parse(xmlEventReader));
+                } else
+                    throw logger.parserUnknownTag(startTag, startElement.getLocation());
+            }
+        }
+        return query;
+    }
+
+    /**
+     * Parse the {@link SAML11AttributeQueryType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static SAML11AuthenticationQueryType parseSAML11AuthenticationQuery(XMLEventReader xmlEventReader)
+            throws ParsingException {
+        SAML11AuthenticationQueryType query = new SAML11AuthenticationQueryType();
+        StartElement startElement;
+        // There may be additional things under subject confirmation
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                if (StaxParserUtil.matches(endElement, SAML11Constants.AUTHENTICATION_QUERY))
+                    break;
+                else
+                    throw logger.parserUnknownEndElement(StaxParserUtil.getEndElementName(endElement));
+            }
+
+            if (xmlEvent instanceof StartElement) {
+                startElement = (StartElement) xmlEvent;
+
+                String startTag = StaxParserUtil.getStartElementName(startElement);
+
+                if (startTag.equals(JBossSAMLConstants.SUBJECT.get())) {
+                    SAML11SubjectParser parser = new SAML11SubjectParser();
+                    query.setSubject((SAML11SubjectType) parser.parse(xmlEventReader));
+                } else
+                    throw logger.parserUnknownTag(startTag, startElement.getLocation());
+            }
+        }
+        return query;
+    }
+
+    /**
+     * Parse the {@link SAML11AuthorizationDecisionQueryType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static SAML11AuthorizationDecisionQueryType parseSAML11AuthorizationDecisionQueryType(XMLEventReader xmlEventReader)
+            throws ParsingException {
+        SAML11AuthorizationDecisionQueryType query = new SAML11AuthorizationDecisionQueryType();
+        StartElement startElement;
+        // There may be additional things under subject confirmation
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                if (StaxParserUtil.matches(endElement, SAML11Constants.AUTHORIZATION_DECISION_QUERY))
+                    break;
+                else
+                    throw logger.parserUnknownEndElement(StaxParserUtil.getEndElementName(endElement));
+            }
+
+            if (xmlEvent instanceof StartElement) {
+                startElement = (StartElement) xmlEvent;
+
+                String startTag = StaxParserUtil.getStartElementName(startElement);
+
+                if (startTag.equals(JBossSAMLConstants.SUBJECT.get())) {
+                    SAML11SubjectParser parser = new SAML11SubjectParser();
+                    query.setSubject((SAML11SubjectType) parser.parse(xmlEventReader));
+                } else if (startTag.equals(SAML11Constants.RESOURCE)) {
+                    startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                    query.setResource(URI.create(StaxParserUtil.getElementText(xmlEventReader)));
+                } else if (startTag.equals(SAML11Constants.ACTION)) {
+                    startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                    SAML11ActionType action = new SAML11ActionType();
+                    Attribute nsAttr = startElement.getAttributeByName(new QName(SAML11Constants.NAMESPACE));
+                    if (nsAttr != null) {
+                        action.setNamespace(StaxParserUtil.getAttributeValue(nsAttr));
+                    }
+
+                    action.setValue(StaxParserUtil.getElementText(xmlEventReader));
+                    query.add(action);
+                } else
+                    throw logger.parserUnknownTag(startTag, startElement.getLocation());
+            }
+        }
+        return query;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SAMLParserUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SAMLParserUtil.java
new file mode 100755
index 0000000000..e048407d3b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SAMLParserUtil.java
@@ -0,0 +1,544 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.util.StaxParserUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.SignatureUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextClassRefType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextDeclRefType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextDeclType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextType;
+import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.SubjectLocalityType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.DSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.RSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.X509CertificateType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.X509DataType;
+import org.w3c.dom.Element;
+
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.StringTokenizer;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLEventReader;
+import javax.xml.stream.events.Attribute;
+import javax.xml.stream.events.EndElement;
+import javax.xml.stream.events.StartElement;
+import javax.xml.stream.events.XMLEvent;
+
+/**
+ * Utility methods for SAML Parser
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 4, 2010
+ */
+public class SAMLParserUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    public static KeyInfoType parseKeyInfo(XMLEventReader xmlEventReader) throws ParsingException {
+        KeyInfoType keyInfo = new KeyInfoType();
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, WSTrustConstants.XMLDSig.KEYINFO);
+
+        XMLEvent xmlEvent = null;
+        String tag = null;
+
+        while (xmlEventReader.hasNext()) {
+            xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                tag = StaxParserUtil.getEndElementName((EndElement) xmlEvent);
+                if (tag.equals(WSTrustConstants.XMLDSig.KEYINFO)) {
+                    xmlEvent = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    break;
+                } else
+                    throw logger.parserUnknownEndElement(tag);
+            }
+            startElement = (StartElement) xmlEvent;
+            tag = StaxParserUtil.getStartElementName(startElement);
+            if (tag.equals(WSTrustConstants.XMLEnc.ENCRYPTED_KEY)) {
+                keyInfo.addContent(StaxParserUtil.getDOMElement(xmlEventReader));
+            } else if (tag.equals(WSTrustConstants.XMLDSig.X509DATA)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                X509DataType x509 = new X509DataType();
+
+                // Let us go for the X509 certificate
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                StaxParserUtil.validate(startElement, WSTrustConstants.XMLDSig.X509CERT);
+
+                X509CertificateType cert = new X509CertificateType();
+                String certValue = StaxParserUtil.getElementText(xmlEventReader);
+                cert.setEncodedCertificate(certValue.getBytes());
+                x509.add(cert);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, WSTrustConstants.XMLDSig.X509DATA);
+                keyInfo.addContent(x509);
+            } else if (tag.equals(WSTrustConstants.XMLDSig.KEYVALUE)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                KeyValueType keyValue = null;
+
+                startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+                tag = StaxParserUtil.getStartElementName(startElement);
+                if (tag.equals(WSTrustConstants.XMLDSig.RSA_KEYVALUE)) {
+                    keyValue = parseRSAKeyValue(xmlEventReader);
+                } else if (tag.equals(WSTrustConstants.XMLDSig.DSA_KEYVALUE)) {
+                    keyValue = parseDSAKeyValue(xmlEventReader);
+                } else
+                    throw logger.parserUnknownTag(tag, startElement.getLocation());
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, WSTrustConstants.XMLDSig.KEYVALUE);
+
+                keyInfo.addContent(keyValue);
+            }
+        }
+        return keyInfo;
+    }
+
+    private static RSAKeyValueType parseRSAKeyValue(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, WSTrustConstants.XMLDSig.RSA_KEYVALUE);
+
+        XMLEvent xmlEvent = null;
+        String tag = null;
+
+        RSAKeyValueType rsaKeyValue = new RSAKeyValueType();
+
+        while (xmlEventReader.hasNext()) {
+            xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                tag = StaxParserUtil.getEndElementName((EndElement) xmlEvent);
+                if (tag.equals(WSTrustConstants.XMLDSig.RSA_KEYVALUE)) {
+                    xmlEvent = StaxParserUtil.getNextEndElement(xmlEventReader);
+                    break;
+                } else
+                    throw logger.parserUnknownEndElement(tag);
+            }
+
+            startElement = (StartElement) xmlEvent;
+            tag = StaxParserUtil.getStartElementName(startElement);
+            if (tag.equals(WSTrustConstants.XMLDSig.MODULUS)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                String text = StaxParserUtil.getElementText(xmlEventReader);
+                rsaKeyValue.setModulus(text.getBytes());
+            } else if (tag.equals(WSTrustConstants.XMLDSig.EXPONENT)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                String text = StaxParserUtil.getElementText(xmlEventReader);
+                rsaKeyValue.setExponent(text.getBytes());
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+        return rsaKeyValue;
+    }
+
+    private static DSAKeyValueType parseDSAKeyValue(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, WSTrustConstants.XMLDSig.DSA_KEYVALUE);
+
+        Element dsaElement = StaxParserUtil.getDOMElement(xmlEventReader);
+        return SignatureUtil.getDSAKeyValue(dsaElement);
+    }
+
+    /**
+     * Parse an {@code AttributeStatementType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static AttributeStatementType parseAttributeStatement(XMLEventReader xmlEventReader) throws ParsingException {
+        AttributeStatementType attributeStatementType = new AttributeStatementType();
+
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        String ATTRIBSTATEMT = JBossSAMLConstants.ATTRIBUTE_STATEMENT.get();
+        StaxParserUtil.validate(startElement, ATTRIBSTATEMT);
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.ATTRIBUTE_STATEMENT.get());
+                break;
+            }
+            // Get the next start element
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            String tag = startElement.getName().getLocalPart();
+            if (JBossSAMLConstants.ATTRIBUTE.get().equals(tag)) {
+                AttributeType attribute = parseAttribute(xmlEventReader);
+                attributeStatementType.addAttribute(new ASTChoiceType(attribute));
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+        return attributeStatementType;
+    }
+
+    /**
+     * Parse an {@code AttributeType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static AttributeType parseAttribute(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ATTRIBUTE.get());
+        AttributeType attributeType = null;
+
+        Attribute name = startElement.getAttributeByName(new QName(JBossSAMLConstants.NAME.get()));
+        if (name == null)
+            throw logger.parserRequiredAttribute("Name");
+        attributeType = new AttributeType(StaxParserUtil.getAttributeValue(name));
+
+        parseAttributeType(xmlEventReader, startElement, JBossSAMLConstants.ATTRIBUTE.get(), attributeType);
+
+        return attributeType;
+    }
+
+    /**
+     * Parse an {@code AttributeType}
+     *
+     * @param xmlEventReader
+     *
+     * @throws ParsingException
+     */
+    public static void parseAttributeType(XMLEventReader xmlEventReader, StartElement startElement, String rootTag,
+            AttributeType attributeType) throws ParsingException {
+        // Look for X500 Encoding
+        QName x500EncodingName = new QName(JBossSAMLURIConstants.X500_NSURI.get(), JBossSAMLConstants.ENCODING.get(),
+                JBossSAMLURIConstants.X500_PREFIX.get());
+        Attribute x500EncodingAttr = startElement.getAttributeByName(x500EncodingName);
+
+        if (x500EncodingAttr != null) {
+            attributeType.getOtherAttributes().put(x500EncodingAttr.getName(),
+                    StaxParserUtil.getAttributeValue(x500EncodingAttr));
+        }
+
+        Attribute friendlyName = startElement.getAttributeByName(new QName(JBossSAMLConstants.FRIENDLY_NAME.get()));
+        if (friendlyName != null)
+            attributeType.setFriendlyName(StaxParserUtil.getAttributeValue(friendlyName));
+
+        Attribute nameFormat = startElement.getAttributeByName(new QName(JBossSAMLConstants.NAME_FORMAT.get()));
+        if (nameFormat != null)
+            attributeType.setNameFormat(StaxParserUtil.getAttributeValue(nameFormat));
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof EndElement) {
+                EndElement end = StaxParserUtil.getNextEndElement(xmlEventReader);
+                if (StaxParserUtil.matches(end, rootTag))
+                    break;
+            }
+            startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            if (startElement == null)
+                break;
+            String tag = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.ATTRIBUTE.get().equals(tag))
+                break;
+
+            if (JBossSAMLConstants.ATTRIBUTE_VALUE.get().equals(tag)) {
+                Object attributeValue = parseAttributeValue(xmlEventReader);
+                attributeType.addAttributeValue(attributeValue);
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+    }
+
+    /**
+     * Parse Attribute value
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static Object parseAttributeValue(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.ATTRIBUTE_VALUE.get());
+
+        Attribute type = startElement.getAttributeByName(new QName(JBossSAMLURIConstants.XSI_NSURI.get(), "type", "xsi"));
+        if (type == null) {
+            if (StaxParserUtil.hasTextAhead(xmlEventReader)) {
+                return StaxParserUtil.getElementText(xmlEventReader);
+            }
+            // Else we may have Child Element
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent instanceof StartElement) {
+                startElement = (StartElement) xmlEvent;
+                String tag = StaxParserUtil.getStartElementName(startElement);
+                if (tag.equals(JBossSAMLConstants.NAMEID.get())) {
+                    return parseNameIDType(xmlEventReader);
+                }
+            } else if (xmlEvent instanceof EndElement) {
+                return "";
+            }
+
+            throw logger.unsupportedType(StaxParserUtil.getStartElementName(startElement));
+        }
+        //      RK Added an additional type check for base64Binary type as calheers is passing this type
+        String typeValue = StaxParserUtil.getAttributeValue(type);
+        if (typeValue.contains(":string")) {
+            return StaxParserUtil.getElementText(xmlEventReader);
+        } else if (typeValue.contains(":anyType")) {
+            // TODO: for now assume that it is a text value that can be parsed and set as the attribute value
+            return StaxParserUtil.getElementText(xmlEventReader);
+        } else if(typeValue.contains(":base64Binary")){
+            return StaxParserUtil.getElementText(xmlEventReader);
+        }
+
+
+        throw logger.parserUnknownXSI(typeValue);
+    }
+
+    /**
+     * Parse the AuthnStatement inside the assertion
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static AuthnStatementType parseAuthnStatement(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        String AUTHNSTATEMENT = JBossSAMLConstants.AUTHN_STATEMENT.get();
+        StaxParserUtil.validate(startElement, AUTHNSTATEMENT);
+
+        Attribute authnInstant = startElement.getAttributeByName(new QName("AuthnInstant"));
+        if (authnInstant == null)
+            throw logger.parserRequiredAttribute("AuthnInstant");
+
+        XMLGregorianCalendar issueInstant = XMLTimeUtil.parse(StaxParserUtil.getAttributeValue(authnInstant));
+        AuthnStatementType authnStatementType = new AuthnStatementType(issueInstant);
+
+        Attribute sessionIndex = startElement.getAttributeByName(new QName("SessionIndex"));
+        if (sessionIndex != null)
+            authnStatementType.setSessionIndex(StaxParserUtil.getAttributeValue(sessionIndex));
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent == null)
+                break;
+
+            if (xmlEvent instanceof EndElement) {
+                xmlEvent = StaxParserUtil.getNextEvent(xmlEventReader);
+                EndElement endElement = (EndElement) xmlEvent;
+                String endElementTag = StaxParserUtil.getEndElementName(endElement);
+                if (endElementTag.equals(AUTHNSTATEMENT))
+                    break;
+                else
+                    throw logger.parserUnknownEndElement(endElementTag);
+            }
+            startElement = null;
+
+            if (xmlEvent instanceof StartElement) {
+                startElement = (StartElement) xmlEvent;
+            } else {
+                startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            }
+            if (startElement == null)
+                break;
+
+            String tag = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.SUBJECT_LOCALITY.get().equals(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                SubjectLocalityType subjectLocalityType = new SubjectLocalityType();
+                Attribute address = startElement.getAttributeByName(new QName(JBossSAMLConstants.ADDRESS.get()));
+                if (address != null) {
+                    subjectLocalityType.setAddress(StaxParserUtil.getAttributeValue(address));
+                }
+                Attribute dns = startElement.getAttributeByName(new QName(JBossSAMLConstants.DNS_NAME.get()));
+                if (dns != null) {
+                    subjectLocalityType.setDNSName(StaxParserUtil.getAttributeValue(dns));
+                }
+                authnStatementType.setSubjectLocality(subjectLocalityType);
+                StaxParserUtil.validate(StaxParserUtil.getNextEndElement(xmlEventReader),
+                        JBossSAMLConstants.SUBJECT_LOCALITY.get());
+            } else if (JBossSAMLConstants.AUTHN_CONTEXT.get().equals(tag)) {
+                authnStatementType.setAuthnContext(parseAuthnContextType(xmlEventReader));
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+
+        }
+
+        return authnStatementType;
+    }
+
+    /**
+     * Parse the AuthnContext Type inside the AuthnStatement
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static AuthnContextType parseAuthnContextType(XMLEventReader xmlEventReader) throws ParsingException {
+        AuthnContextType authnContextType = new AuthnContextType();
+
+        StartElement startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        StaxParserUtil.validate(startElement, JBossSAMLConstants.AUTHN_CONTEXT.get());
+
+        while (xmlEventReader.hasNext()) {
+            XMLEvent xmlEvent = StaxParserUtil.peek(xmlEventReader);
+            if (xmlEvent == null)
+                break;
+
+            if (xmlEvent instanceof EndElement) {
+                xmlEvent = StaxParserUtil.getNextEvent(xmlEventReader);
+                EndElement endElement = (EndElement) xmlEvent;
+                String endElementTag = StaxParserUtil.getEndElementName(endElement);
+                if (endElementTag.equals(JBossSAMLConstants.AUTHN_CONTEXT.get()))
+                    break;
+                else
+                    throw logger.parserUnknownEndElement(endElementTag);
+            }
+            startElement = null;
+
+            if (xmlEvent instanceof StartElement) {
+                startElement = (StartElement) xmlEvent;
+            } else {
+                startElement = StaxParserUtil.peekNextStartElement(xmlEventReader);
+            }
+            if (startElement == null)
+                break;
+
+            String tag = StaxParserUtil.getStartElementName(startElement);
+
+            if (JBossSAMLConstants.AUTHN_CONTEXT_DECLARATION.get().equals(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+
+                Element dom = StaxParserUtil.getDOMElement(xmlEventReader);
+
+                AuthnContextDeclType authnContextDecl = new AuthnContextDeclType(dom);
+                AuthnContextType.AuthnContextTypeSequence authnContextSequence = authnContextType.new AuthnContextTypeSequence();
+                authnContextSequence.setAuthnContextDecl(authnContextDecl);
+                authnContextType.setSequence(authnContextSequence);
+
+                EndElement endElement = StaxParserUtil.getNextEndElement(xmlEventReader);
+                StaxParserUtil.validate(endElement, JBossSAMLConstants.AUTHN_CONTEXT_DECLARATION.get());
+            } else if (JBossSAMLConstants.AUTHN_CONTEXT_DECLARATION_REF.get().equals(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                String text = StaxParserUtil.getElementText(xmlEventReader);
+
+                AuthnContextDeclRefType aAuthnContextDeclType = new AuthnContextDeclRefType(URI.create(text));
+                authnContextType.addURIType(aAuthnContextDeclType);
+            } else if (JBossSAMLConstants.AUTHN_CONTEXT_CLASS_REF.get().equals(tag)) {
+                startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+                String text = StaxParserUtil.getElementText(xmlEventReader);
+
+                AuthnContextClassRefType aAuthnContextClassRefType = new AuthnContextClassRefType(URI.create(text));
+                AuthnContextType.AuthnContextTypeSequence authnContextSequence = authnContextType.new AuthnContextTypeSequence();
+                authnContextSequence.setClassRef(aAuthnContextClassRefType);
+
+                authnContextType.setSequence(authnContextSequence);
+            } else if (JBossSAMLConstants.AUTHENTICATING_AUTHORITY.get().equals(tag)) {
+              startElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+              String text = StaxParserUtil.getElementText(xmlEventReader);
+              authnContextType.addAuthenticatingAuthority(URI.create(text));
+            } else
+                throw logger.parserUnknownTag(tag, startElement.getLocation());
+        }
+
+        return authnContextType;
+    }
+
+    /**
+     * Parse a {@code NameIDType}
+     *
+     * @param xmlEventReader
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static NameIDType parseNameIDType(XMLEventReader xmlEventReader) throws ParsingException {
+        StartElement nameIDElement = StaxParserUtil.getNextStartElement(xmlEventReader);
+        NameIDType nameID = new NameIDType();
+
+        Attribute nameQualifier = nameIDElement.getAttributeByName(new QName(JBossSAMLConstants.NAME_QUALIFIER.get()));
+        if (nameQualifier != null) {
+            nameID.setNameQualifier(StaxParserUtil.getAttributeValue(nameQualifier));
+        }
+
+        Attribute format = nameIDElement.getAttributeByName(new QName(JBossSAMLConstants.FORMAT.get()));
+        if (format != null) {
+            nameID.setFormat(URI.create(StaxParserUtil.getAttributeValue(format)));
+        }
+
+        Attribute spProvidedID = nameIDElement.getAttributeByName(new QName(JBossSAMLConstants.SP_PROVIDED_ID.get()));
+        if (spProvidedID != null) {
+            nameID.setSPProvidedID(StaxParserUtil.getAttributeValue(spProvidedID));
+        }
+
+        Attribute spNameQualifier = nameIDElement.getAttributeByName(new QName(JBossSAMLConstants.SP_NAME_QUALIFIER.get()));
+        if (spNameQualifier != null) {
+            nameID.setSPNameQualifier(StaxParserUtil.getAttributeValue(spNameQualifier));
+        }
+
+        String nameIDValue = StaxParserUtil.getElementText(xmlEventReader);
+        nameID.setValue(nameIDValue);
+
+        return nameID;
+    }
+
+    /**
+     * Parse a space delimited list of strings
+     *
+     * @param startElement
+     *
+     * @return
+     */
+    public static List<String> parseProtocolEnumeration(StartElement startElement) {
+        List<String> protocolEnum = new ArrayList<String>();
+        Attribute proto = startElement.getAttributeByName(new QName(JBossSAMLConstants.PROTOCOL_SUPPORT_ENUMERATION.get()));
+        String val = StaxParserUtil.getAttributeValue(proto);
+        if (StringUtil.isNotNull(val)) {
+            StringTokenizer st = new StringTokenizer(val);
+            while (st.hasMoreTokens()) {
+                protocolEnum.add(st.nextToken());
+            }
+
+        }
+        return protocolEnum;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SecurityActions.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SecurityActions.java
new file mode 100755
index 0000000000..6ff7025de2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/parsers/util/SecurityActions.java
@@ -0,0 +1,94 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.parsers.util;
+
+import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Privileged Blocks
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Oct 25, 2010
+ */
+public class SecurityActions {
+
+    /**
+     * <p>Returns a system property value using the specified <code>key</code>. If not found the
+     * <code>defaultValue</code> will be returned.</p>
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static String getSystemProperty(final String key, final String defaultValue) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<String>() {
+                public String run() {
+                    return System.getProperty(key, defaultValue);
+                }
+            });
+        } else {
+            return System.getProperty(key, defaultValue);
+        }
+    }
+
+    /**
+     * Load a resource based on the passed {@link Class} classloader. Failing which try with the Thread Context CL
+     *
+     * @param clazz
+     * @param resourceName
+     *
+     * @return
+     */
+    static URL loadResource(final Class<?> clazz, final String resourceName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<URL>() {
+                public URL run() {
+                    URL url = null;
+                    ClassLoader clazzLoader = clazz.getClassLoader();
+                    url = clazzLoader.getResource(resourceName);
+
+                    if (url == null) {
+                        clazzLoader = Thread.currentThread().getContextClassLoader();
+                        url = clazzLoader.getResource(resourceName);
+                    }
+
+                    return url;
+                }
+            });
+        } else {
+            URL url = null;
+            ClassLoader clazzLoader = clazz.getClassLoader();
+            url = clazzLoader.getResource(resourceName);
+
+            if (url == null) {
+                clazzLoader = Thread.currentThread().getContextClassLoader();
+                url = clazzLoader.getResource(resourceName);
+            }
+
+            return url;
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/SAML11Constants.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/SAML11Constants.java
new file mode 100755
index 0000000000..ba325c953d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/SAML11Constants.java
@@ -0,0 +1,131 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v1;
+
+/**
+ * Constants for the SAML v1.1 Specifications
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 22, 2011
+ */
+public interface SAML11Constants {
+
+    String ACTION = "Action";
+
+    String ASSERTIONID = "AssertionID";
+
+    String ASSERTION_11_NSURI = "urn:oasis:names:tc:SAML:1.0:assertion";
+
+    String ASSERTION_ARTIFACT = "AssertionArtifact";
+
+    String ASSERTION_ID_REF = "AssertionIDReference";
+
+    String ATTRIBUTE_QUERY = "AttributeQuery";
+
+    String ATTRIBUTE_NAME = "AttributeName";
+
+    String ATTRIBUTE_NAMESPACE = "AttributeNamespace";
+
+    String ATTRIBUTE_STATEMENT = "AttributeStatement";
+
+    String AUDIENCE_RESTRICTION_CONDITION = "AudienceRestrictionCondition";
+
+    String AUTHENTICATION_INSTANT = "AuthenticationInstant";
+
+    String AUTHENTICATION_METHOD = "AuthenticationMethod";
+
+    String AUTH_METHOD_PASSWORD = "urn:oasis:names:tc:SAML:1.0:am:password";
+
+    String AUTH_METHOD_KERBEROS = "urn:ietf:rfc:1510";
+
+    String AUTH_METHOD_SRP = "urn:ietf:rfc:2945";
+
+    String AUTH_METHOD_TLS = "urn:ietf:rfc:2246";
+
+    String AUTHENTICATION_QUERY = "AuthenticationQuery";
+
+    String AUTHENTICATION_STATEMENT = "AuthenticationStatement";
+
+    String AUTHORITY_BINDING = "AuthorityBinding";
+
+    String AUTHORITY_KIND = "AuthorityKind";
+
+    String AUTHORIZATION_DECISION_QUERY = "AuthorizationDecisionQuery";
+
+    String AUTHORIZATION_DECISION_STATEMENT = "AuthorizationDecisionStatement";
+
+    String BINDING = "Binding";
+
+    String CONFIRMATION_METHOD = "ConfirmationMethod";
+
+    String DECISION = "Decision";
+
+    String DNS_ADDRESS = "DNSAddress";
+
+    String EVIDENCE = "Evidence";
+
+    String FORMAT = "Format";
+
+    String FORMAT_EMAIL_ADDRESS = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress";
+
+    String FORMAT_UNSPECIFIED = "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified";
+
+    String IN_RESPONSE_TO = "InResponseTo";
+
+    String IP_ADDRESS = "IPAddress";
+
+    String ISSUER = "Issuer";
+
+    String ISSUE_INSTANT = "IssueInstant";
+
+    String LOCATION = "Location";
+
+    String MAJOR_VERSION = "MajorVersion";
+
+    String MINOR_VERSION = "MinorVersion";
+
+    String NAME_IDENTIFIER = "NameIdentifier";
+
+    String NAME_QUALIFIER = "NameQualifier";
+
+    String NAMESPACE = "Namespace";
+
+    String PROTOCOL_11_NSURI = "urn:oasis:names:tc:SAML:1.0:protocol";
+
+    String RECIPIENT = "Recipient";
+
+    String REQUEST = "Request";
+
+    String REQUEST_ID = "RequestID";
+
+    String RESOURCE = "Resource";
+
+    String RESPONSE = "Response";
+
+    String RESPONSE_ID = "ResponseID";
+
+    String STATUS = "Status";
+
+    String STATUS_CODE = "StatusCode";
+
+    String STATUS_DETAIL = "StatusDetail";
+
+    String STATUS_MSG = "StatusMessage";
+
+    String VALUE = "Value";
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/BaseSAML11Writer.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/BaseSAML11Writer.java
new file mode 100755
index 0000000000..2adfac77b4
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/BaseSAML11Writer.java
@@ -0,0 +1,48 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v1.writers;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+
+import javax.xml.stream.XMLStreamWriter;
+
+/**
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 27, 2011
+ */
+public abstract class BaseSAML11Writer {
+
+    protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    protected static String PROTOCOL_PREFIX = "samlp";
+
+    protected static String ASSERTION_PREFIX = "saml";
+
+    protected static String XACML_SAML_PREFIX = "xacml-saml";
+
+    protected static String XACML_SAML_PROTO_PREFIX = "xacml-samlp";
+
+    protected static String XSI_PREFIX = "xsi";
+
+    protected XMLStreamWriter writer;
+
+    public BaseSAML11Writer(XMLStreamWriter writer) {
+        this.writer = writer;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11AssertionWriter.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11AssertionWriter.java
new file mode 100755
index 0000000000..ec5073bea1
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11AssertionWriter.java
@@ -0,0 +1,446 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v1.writers;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.saml.processing.core.saml.v1.SAML11Constants;
+import org.keycloak.dom.saml.v1.assertion.SAML11ActionType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AdviceType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AssertionType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AudienceRestrictionCondition;
+import org.keycloak.dom.saml.v1.assertion.SAML11AuthenticationStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AuthorityBindingType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AuthorizationDecisionStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11ConditionAbstractType;
+import org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType;
+import org.keycloak.dom.saml.v1.assertion.SAML11EvidenceType;
+import org.keycloak.dom.saml.v1.assertion.SAML11NameIdentifierType;
+import org.keycloak.dom.saml.v1.assertion.SAML11StatementAbstractType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectConfirmationType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectLocalityType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectType.SAML11SubjectTypeChoice;
+import org.keycloak.dom.saml.v2.assertion.StatementAbstractType;
+import org.keycloak.dom.saml.v2.metadata.LocalizedNameType;
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamWriter;
+import java.net.URI;
+import java.util.List;
+
+/**
+ * Write the SAML 11 Assertion to stream
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since June 24, 2011
+ */
+public class SAML11AssertionWriter extends BaseSAML11Writer {
+
+    String ns = SAML11Constants.ASSERTION_11_NSURI;
+
+    public SAML11AssertionWriter(XMLStreamWriter writer) {
+        super(writer);
+    }
+
+    /**
+     * Write an {@code SAML11AssertionType} to stream
+     *
+     * @param assertion
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(SAML11AssertionType assertion) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ASSERTION.get(), ns);
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ns);
+        StaxUtil.writeDefaultNameSpace(writer, ns);
+
+        // Attributes
+        // StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), assertion.getID());
+        StaxUtil.writeAttribute(writer, SAML11Constants.ASSERTIONID, assertion.getID());
+        StaxUtil.writeAttribute(writer, SAML11Constants.MAJOR_VERSION, assertion.getMajorVersion() + "");
+        StaxUtil.writeAttribute(writer, SAML11Constants.MINOR_VERSION, assertion.getMinorVersion() + "");
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), assertion.getIssueInstant().toString());
+
+        String issuer = assertion.getIssuer();
+        if (issuer != null) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.ISSUER, issuer);
+        }
+
+        SAML11ConditionsType conditions = assertion.getConditions();
+        if (conditions != null) {
+            StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.CONDITIONS.get(), ns);
+
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_BEFORE.get(), conditions.getNotBefore().toString());
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_ON_OR_AFTER.get(), conditions.getNotOnOrAfter().toString());
+
+            List<SAML11ConditionAbstractType> typeOfConditions = conditions.get();
+            if (typeOfConditions != null) {
+                for (SAML11ConditionAbstractType typeCondition : typeOfConditions) {
+                    if (typeCondition instanceof SAML11AudienceRestrictionCondition) {
+                        SAML11AudienceRestrictionCondition art = (SAML11AudienceRestrictionCondition) typeCondition;
+                        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.AUDIENCE_RESTRICTION_CONDITION, ns);
+                        List<URI> audiences = art.get();
+                        if (audiences != null) {
+                            for (URI audience : audiences) {
+                                StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUDIENCE.get(), ns);
+                                StaxUtil.writeCharacters(writer, audience.toString());
+                                StaxUtil.writeEndElement(writer);
+                            }
+                        }
+
+                        StaxUtil.writeEndElement(writer);
+                    }
+                }
+            }
+
+            StaxUtil.writeEndElement(writer);
+        }
+
+        SAML11AdviceType advice = assertion.getAdvice();
+        if (advice != null)
+            throw logger.notImplementedYet("Advice");
+
+        List<SAML11StatementAbstractType> statements = assertion.getStatements();
+        if (statements != null) {
+            for (SAML11StatementAbstractType statement : statements) {
+                if (statement instanceof SAML11AuthenticationStatementType) {
+                    write((SAML11AuthenticationStatementType) statement);
+                } else if (statement instanceof SAML11AttributeStatementType) {
+                    write((SAML11AttributeStatementType) statement);
+                } else if (statement instanceof SAML11AuthorizationDecisionStatementType) {
+                    write((SAML11AuthorizationDecisionStatementType) statement);
+                } else if (statement instanceof SAML11SubjectStatementType) {
+                    write((SAML11SubjectStatementType) statement);
+                } else
+                    throw logger.writerUnknownTypeError(statement.getClass().getName());
+            }
+        }
+
+        Element sig = assertion.getSignature();
+        if (sig != null)
+            StaxUtil.writeDOMElement(writer, sig);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write an {@code StatementAbstractType} to stream
+     *
+     * @param statement
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(StatementAbstractType statement) throws ProcessingException {
+        throw logger.notImplementedYet("StatementAbstractType");
+    }
+
+    public void write(SAML11SubjectStatementType statement) throws ProcessingException {
+        throw logger.notImplementedYet("SAML11SubjectStatementType");
+    }
+
+    public void write(SAML11AttributeStatementType statement) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ATTRIBUTE_STATEMENT.get(),
+                SAML11Constants.ASSERTION_11_NSURI);
+
+        SAML11SubjectType subject = statement.getSubject();
+        if (subject != null)
+            write(subject);
+
+        List<SAML11AttributeType> attributes = statement.get();
+        if (attributes != null) {
+            for (SAML11AttributeType attr : attributes) {
+                write(attr);
+            }
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write an {@code AuthnStatementType} to stream
+     *
+     * @param authnStatement
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(SAML11AuthenticationStatementType authnStatement) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.AUTHENTICATION_STATEMENT,
+                SAML11Constants.ASSERTION_11_NSURI);
+
+        XMLGregorianCalendar authnInstant = authnStatement.getAuthenticationInstant();
+        if (authnInstant != null) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.AUTHENTICATION_INSTANT, authnInstant.toString());
+        }
+
+        URI authMethod = authnStatement.getAuthenticationMethod();
+        if (authMethod != null) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.AUTHENTICATION_METHOD, authMethod.toString());
+        }
+
+        SAML11SubjectType subject = authnStatement.getSubject();
+        if (subject != null)
+            write(subject);
+
+        SAML11SubjectLocalityType locality = authnStatement.getSubjectLocality();
+        if (locality != null)
+            write(locality);
+
+        List<SAML11AuthorityBindingType> authorities = authnStatement.getAuthorityBindingType();
+        for (SAML11AuthorityBindingType authority : authorities) {
+            write(authority);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(SAML11AuthorityBindingType authority) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.AUTHORITY_BINDING,
+                SAML11Constants.ASSERTION_11_NSURI);
+
+        QName authorityKind = authority.getAuthorityKind();
+        StaxUtil.writeAttribute(writer, SAML11Constants.AUTHORITY_KIND, authorityKind);
+
+        String binding = authority.getBinding().toString();
+        StaxUtil.writeAttribute(writer, SAML11Constants.BINDING, binding);
+
+        String location = authority.getLocation().toString();
+        StaxUtil.writeAttribute(writer, SAML11Constants.LOCATION, location);
+
+        StaxUtil.writeEndElement(writer);
+    }
+
+    public void write(SAML11SubjectLocalityType locality) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.SUBJECT_LOCALITY.get(),
+                SAML11Constants.ASSERTION_11_NSURI);
+        String ip = locality.getIpAddress();
+        if (StringUtil.isNotNull(ip)) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.IP_ADDRESS, ip);
+        }
+        String dns = locality.getDnsAddress();
+        if (StringUtil.isNotNull(dns)) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.DNS_ADDRESS, dns);
+        }
+        StaxUtil.writeEndElement(writer);
+    }
+
+    public void write(SAML11AuthorizationDecisionStatementType xacmlStat) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.AUTHORIZATION_DECISION_STATEMENT, ns);
+
+        String resource = xacmlStat.getResource().toString();
+        StaxUtil.writeAttribute(writer, SAML11Constants.RESOURCE, resource);
+
+        StaxUtil.writeAttribute(writer, SAML11Constants.DECISION, xacmlStat.getDecision().name());
+
+        SAML11SubjectType subject = xacmlStat.getSubject();
+        if (subject != null)
+            write(subject);
+
+        List<SAML11ActionType> actions = xacmlStat.getActions();
+        for (SAML11ActionType action : actions) {
+            write(action);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * write an {@code SubjectType} to stream
+     *
+     * @param subject
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(SAML11SubjectType subject) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.SUBJECT.get(),
+                SAML11Constants.ASSERTION_11_NSURI);
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ns);
+
+        SAML11SubjectTypeChoice choice = subject.getChoice();
+        if (choice != null) {
+            SAML11NameIdentifierType nameid = choice.getNameID();
+            if (nameid != null) {
+                write(nameid);
+            }
+
+            SAML11SubjectConfirmationType confirmation = choice.getSubjectConfirmation();
+            if (confirmation != null)
+                write(confirmation);
+        }
+
+        SAML11SubjectConfirmationType confirmation = subject.getSubjectConfirmation();
+        if (confirmation != null)
+            write(confirmation);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(SAML11SubjectConfirmationType confirmation) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.SUBJECT_CONFIRMATION.get(),
+                SAML11Constants.ASSERTION_11_NSURI);
+        List<URI> confirmationMethods = confirmation.getConfirmationMethod();
+        if (confirmationMethods != null) {
+            for (URI confirmationMethod : confirmationMethods) {
+                StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.CONFIRMATION_METHOD,
+                        SAML11Constants.ASSERTION_11_NSURI);
+                StaxUtil.writeCharacters(writer, confirmationMethod.toString());
+                StaxUtil.writeEndElement(writer);
+            }
+        }
+
+        Element keyInfo = confirmation.getKeyInfo();
+        if (keyInfo != null) {
+            StaxUtil.writeDOMElement(writer, keyInfo);
+        }
+
+        Object subjectConfirmationData = confirmation.getSubjectConfirmationData();
+        if (subjectConfirmationData != null) {
+            writeSubjectConfirmationData(subjectConfirmationData);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeSubjectConfirmationData(Object scData) throws ProcessingException {
+        throw logger.notImplementedYet("SubjectConfirmationData");
+    }
+
+    public void write(SAML11NameIdentifierType nameid) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.NAME_IDENTIFIER,
+                SAML11Constants.ASSERTION_11_NSURI);
+
+        URI format = nameid.getFormat();
+        if (format != null) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.FORMAT, format.toString());
+        }
+        String nameQualifier = nameid.getNameQualifier();
+        if (StringUtil.isNotNull(nameQualifier)) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.NAME_QUALIFIER, nameQualifier);
+        }
+
+        StaxUtil.writeCharacters(writer, nameid.getValue());
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write an {@code AttributeType} to stream
+     *
+     * @param attributeType
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(SAML11AttributeType attributeType) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ATTRIBUTE.get(), ns);
+
+        writeAttributeTypeWithoutRootTag(attributeType);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeAttributeTypeWithoutRootTag(SAML11AttributeType attributeType) throws ProcessingException {
+        String attributeName = attributeType.getAttributeName();
+        if (StringUtil.isNullOrEmpty(attributeName))
+            throw logger.writerNullValueError("attribute name");
+        StaxUtil.writeAttribute(writer, SAML11Constants.ATTRIBUTE_NAME, attributeName);
+
+        String attributeNamespace = attributeType.getAttributeNamespace().toString();
+        if (StringUtil.isNullOrEmpty(attributeNamespace))
+            throw logger.writerNullValueError("attribute namespace");
+        StaxUtil.writeAttribute(writer, SAML11Constants.ATTRIBUTE_NAMESPACE, attributeNamespace);
+
+        List<Object> attributeValues = attributeType.get();
+        if (attributeValues != null) {
+            for (Object attributeValue : attributeValues) {
+                if (attributeValue instanceof String) {
+                    writeStringAttributeValue((String) attributeValue);
+                } else
+                    throw logger.writerUnsupportedAttributeValueError(attributeValue.getClass().getName());
+            }
+        }
+    }
+
+    public void writeStringAttributeValue(String attributeValue) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ATTRIBUTE_VALUE.get(), ns);
+
+        StaxUtil.writeNameSpace(writer, JBossSAMLURIConstants.XSI_PREFIX.get(), JBossSAMLURIConstants.XSI_NSURI.get());
+        StaxUtil.writeNameSpace(writer, "xs", JBossSAMLURIConstants.XMLSCHEMA_NSURI.get());
+        StaxUtil.writeAttribute(writer, "xsi", JBossSAMLURIConstants.XSI_NSURI.get(), "type", "xs:string");
+        StaxUtil.writeCharacters(writer, attributeValue);
+        StaxUtil.writeEndElement(writer);
+    }
+
+    public void writeLocalizedNameType(LocalizedNameType localizedNameType, QName startElement) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, startElement.getPrefix(), startElement.getLocalPart(),
+                startElement.getNamespaceURI());
+        StaxUtil.writeAttribute(writer, new QName(JBossSAMLURIConstants.XML.get(), "lang", "xml"), localizedNameType.getLang());
+        StaxUtil.writeCharacters(writer, localizedNameType.getValue());
+        StaxUtil.writeEndElement(writer);
+    }
+
+    public void write(SAML11ActionType action) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.ACTION, ns);
+        String ns = action.getNamespace();
+        if (StringUtil.isNotNull(ns)) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.NAMESPACE, ns);
+        }
+        String val = action.getValue();
+        if (StringUtil.isNotNull(val)) {
+            StaxUtil.writeCharacters(writer, val);
+        }
+        StaxUtil.writeEndElement(writer);
+    }
+
+    public void write(SAML11EvidenceType evidence) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.EVIDENCE, ns);
+
+        List<String> assertionIDRefs = evidence.getAssertionIDReference();
+        for (String assertionIDRef : assertionIDRefs) {
+            StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.ASSERTION_ID_REF, ns);
+            StaxUtil.writeCharacters(writer, assertionIDRef);
+            StaxUtil.writeEndElement(writer);
+        }
+
+        List<SAML11AssertionType> assertions = evidence.getAssertions();
+        for (SAML11AssertionType assertion : assertions) {
+            write(assertion);
+        }
+        StaxUtil.writeEndElement(writer);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11RequestWriter.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11RequestWriter.java
new file mode 100755
index 0000000000..60b4695e00
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11RequestWriter.java
@@ -0,0 +1,171 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v1.writers;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.saml.processing.core.saml.v1.SAML11Constants;
+import org.keycloak.dom.saml.v1.assertion.SAML11ActionType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeDesignatorType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeType;
+import org.keycloak.dom.saml.v1.assertion.SAML11EvidenceType;
+import org.keycloak.dom.saml.v1.assertion.SAML11SubjectType;
+import org.keycloak.dom.saml.v1.protocol.SAML11AttributeQueryType;
+import org.keycloak.dom.saml.v1.protocol.SAML11AuthenticationQueryType;
+import org.keycloak.dom.saml.v1.protocol.SAML11AuthorizationDecisionQueryType;
+import org.keycloak.dom.saml.v1.protocol.SAML11QueryAbstractType;
+import org.keycloak.dom.saml.v1.protocol.SAML11RequestType;
+
+import javax.xml.stream.XMLStreamWriter;
+import java.net.URI;
+import java.util.List;
+
+/**
+ * Write the {@link org.keycloak.dom.saml.v1.protocol.SAML11RequestType} to stream
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 27, 2011
+ */
+public class SAML11RequestWriter extends BaseSAML11Writer {
+
+    protected String namespace = SAML11Constants.PROTOCOL_11_NSURI;
+
+    protected SAML11AssertionWriter assertionWriter;
+
+    public SAML11RequestWriter(XMLStreamWriter writer) {
+        super(writer);
+        assertionWriter = new SAML11AssertionWriter(writer);
+    }
+
+    public void write(SAML11RequestType request) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.REQUEST, namespace);
+        StaxUtil.writeNameSpace(writer, PROTOCOL_PREFIX, namespace);
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, SAML11Constants.ASSERTION_11_NSURI);
+        StaxUtil.writeDefaultNameSpace(writer, namespace);
+
+        // Attributes
+        StaxUtil.writeAttribute(writer, SAML11Constants.REQUEST_ID, request.getID());
+        StaxUtil.writeAttribute(writer, SAML11Constants.MAJOR_VERSION, request.getMajorVersion() + "");
+        StaxUtil.writeAttribute(writer, SAML11Constants.MINOR_VERSION, request.getMinorVersion() + "");
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), request.getIssueInstant().toString());
+
+        List<String> assertionIDRefs = request.getAssertionIDRef();
+        for (String assertionIDRef : assertionIDRefs) {
+            StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, SAML11Constants.ASSERTION_ID_REF,
+                    SAML11Constants.ASSERTION_11_NSURI);
+            StaxUtil.writeCharacters(writer, assertionIDRef);
+            StaxUtil.writeEndElement(writer);
+        }
+
+        List<String> assertionArtifacts = request.getAssertionArtifact();
+        for (String assertionArtifact : assertionArtifacts) {
+            StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.ASSERTION_ARTIFACT, namespace);
+            StaxUtil.writeCharacters(writer, assertionArtifact);
+            StaxUtil.writeEndElement(writer);
+        }
+
+        SAML11QueryAbstractType query = request.getQuery();
+        if (query instanceof SAML11AuthenticationQueryType) {
+            SAML11AuthenticationQueryType authQuery = (SAML11AuthenticationQueryType) query;
+            write(authQuery);
+        } else if (query instanceof SAML11AttributeQueryType) {
+            SAML11AttributeQueryType attQuery = (SAML11AttributeQueryType) query;
+            write(attQuery);
+        } else if (query instanceof SAML11AuthenticationQueryType) {
+            SAML11AuthenticationQueryType attQuery = (SAML11AuthenticationQueryType) query;
+            write(attQuery);
+        } else if (query instanceof SAML11AuthorizationDecisionQueryType) {
+            SAML11AuthorizationDecisionQueryType attQuery = (SAML11AuthorizationDecisionQueryType) query;
+            write(attQuery);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(SAML11AuthenticationQueryType auth) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.AUTHENTICATION_QUERY, namespace);
+
+        URI authMethod = auth.getAuthenticationMethod();
+        if (authMethod != null) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.AUTHENTICATION_METHOD, authMethod.toString());
+        }
+
+        SAML11SubjectType subject = auth.getSubject();
+        if (subject != null) {
+            assertionWriter.write(subject);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(SAML11AttributeQueryType attr) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.ATTRIBUTE_QUERY, namespace);
+
+        URI resource = attr.getResource();
+        if (resource != null) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.RESOURCE, resource.toString());
+        }
+
+        SAML11SubjectType subject = attr.getSubject();
+        if (subject != null) {
+            assertionWriter.write(subject);
+        }
+
+        List<SAML11AttributeDesignatorType> attributes = attr.get();
+        for (SAML11AttributeDesignatorType attribute : attributes) {
+            if (attribute instanceof SAML11AttributeType) {
+                SAML11AttributeType sat = (SAML11AttributeType) attribute;
+                assertionWriter.write(sat);
+            } else
+                throw logger.writerUnknownTypeError(attribute.getClass().getName());
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(SAML11AuthorizationDecisionQueryType attr) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.AUTHORIZATION_DECISION_QUERY, namespace);
+
+        URI resource = attr.getResource();
+        if (resource != null) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.RESOURCE, resource.toString());
+        }
+
+        SAML11SubjectType subject = attr.getSubject();
+        if (subject != null) {
+            assertionWriter.write(subject);
+        }
+
+        List<SAML11ActionType> actions = attr.get();
+        for (SAML11ActionType action : actions) {
+            assertionWriter.write(action);
+        }
+
+        SAML11EvidenceType evidence = attr.getEvidence();
+        if (evidence != null) {
+            assertionWriter.write(evidence);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11ResponseWriter.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11ResponseWriter.java
new file mode 100755
index 0000000000..7e6f6fdab9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v1/writers/SAML11ResponseWriter.java
@@ -0,0 +1,137 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v1.writers;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.saml.processing.core.saml.v1.SAML11Constants;
+import org.keycloak.dom.saml.common.CommonStatusDetailType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AssertionType;
+import org.keycloak.dom.saml.v1.protocol.SAML11ResponseType;
+import org.keycloak.dom.saml.v1.protocol.SAML11StatusCodeType;
+import org.keycloak.dom.saml.v1.protocol.SAML11StatusType;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamWriter;
+import java.net.URI;
+import java.util.List;
+
+/**
+ * Write the {@link SAML11ResponseType} to stream
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 29, 2011
+ */
+public class SAML11ResponseWriter extends BaseSAML11Writer {
+
+    protected String namespace = SAML11Constants.PROTOCOL_11_NSURI;
+
+    protected SAML11AssertionWriter assertionWriter;
+
+    public SAML11ResponseWriter(XMLStreamWriter writer) {
+        super(writer);
+        assertionWriter = new SAML11AssertionWriter(writer);
+    }
+
+    public void write(SAML11ResponseType response) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.RESPONSE, namespace);
+        StaxUtil.writeNameSpace(writer, PROTOCOL_PREFIX, namespace);
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, SAML11Constants.ASSERTION_11_NSURI);
+
+        // Attributes
+        StaxUtil.writeAttribute(writer, SAML11Constants.RESPONSE_ID, response.getID());
+        StaxUtil.writeAttribute(writer, SAML11Constants.MAJOR_VERSION, response.getMajorVersion() + "");
+        StaxUtil.writeAttribute(writer, SAML11Constants.MINOR_VERSION, response.getMinorVersion() + "");
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), response.getIssueInstant().toString());
+        String inResp = response.getInResponseTo();
+        if (StringUtil.isNotNull(inResp)) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.IN_RESPONSE_TO, inResp);
+        }
+
+        URI recipient = response.getRecipient();
+        if (recipient != null) {
+            StaxUtil.writeAttribute(writer, SAML11Constants.RECIPIENT, recipient.toString());
+        }
+
+        Element sig = response.getSignature();
+        if (sig != null) {
+            StaxUtil.writeDOMElement(writer, sig);
+        }
+
+        SAML11StatusType status = response.getStatus();
+        if (status != null) {
+            write(status);
+        }
+
+        List<SAML11AssertionType> assertions = response.get();
+        for (SAML11AssertionType assertion : assertions) {
+            assertionWriter.write(assertion);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(SAML11StatusType status) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.STATUS, namespace);
+
+        SAML11StatusCodeType statusCode = status.getStatusCode();
+        if (statusCode != null) {
+            write(statusCode);
+        }
+
+        String statusMsg = status.getStatusMessage();
+        if (StringUtil.isNotNull(statusMsg)) {
+            StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.STATUS_MSG, namespace);
+            StaxUtil.writeCharacters(writer, statusMsg);
+            StaxUtil.writeEndElement(writer);
+        }
+
+        CommonStatusDetailType details = status.getStatusDetail();
+        if (details != null) {
+            StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.STATUS_DETAIL, namespace);
+            List<Object> objs = details.getAny();
+            for (Object theObj : objs) {
+                StaxUtil.writeCharacters(writer, theObj.toString());
+            }
+            StaxUtil.writeEndElement(writer);
+        }
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(SAML11StatusCodeType statusCode) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, SAML11Constants.STATUS_CODE, namespace);
+
+        QName value = statusCode.getValue();
+        if (value == null)
+            throw logger.writerNullValueError("Attribute Value");
+        StaxUtil.writeAttribute(writer, SAML11Constants.VALUE, value);
+
+        SAML11StatusCodeType secondCode = statusCode.getStatusCode();
+        if (secondCode != null) {
+            write(secondCode);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/common/IDGenerator.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/common/IDGenerator.java
new file mode 100755
index 0000000000..bd0248afe6
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/common/IDGenerator.java
@@ -0,0 +1,58 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.common;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+
+import java.util.UUID;
+
+/**
+ * Utility class that generates unique IDs
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 5, 2009
+ */
+public class IDGenerator {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /*
+     * Create a basic unique ID
+     */
+    public static String create() {
+        return UUID.randomUUID().toString();
+    }
+
+    /**
+     * Create an id that is prefixed by a string
+     *
+     * @param prefix
+     *
+     * @return an id
+     *
+     * @throws IllegalArgumentException when prefix is null
+     */
+    public static String create(String prefix) {
+        if (prefix == null)
+            throw logger.nullArgumentError("prefix");
+        StringBuilder sb = new StringBuilder(prefix);
+        sb.append(IDGenerator.create());
+        return sb.toString();
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/common/SAMLDocumentHolder.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/common/SAMLDocumentHolder.java
new file mode 100755
index 0000000000..30bef07990
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/common/SAMLDocumentHolder.java
@@ -0,0 +1,64 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.common;
+
+import org.keycloak.dom.saml.v2.SAML2Object;
+import org.w3c.dom.Document;
+
+/**
+ * A Holder class that can store the SAML object as well as the corresponding DOM object.
+ *
+ * Users of this class need to make it threadsafe by having one instance per thread (ThreadLocal)
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Aug 13, 2009
+ */
+public class SAMLDocumentHolder {
+
+    private SAML2Object samlObject;
+    private Document samlDocument;
+
+    public SAMLDocumentHolder(SAML2Object samlObject) {
+        this.samlObject = samlObject;
+    }
+
+    public SAMLDocumentHolder(Document samlDocument) {
+        this.samlDocument = samlDocument;
+    }
+
+    public SAMLDocumentHolder(SAML2Object samlObject, Document samlDocument) {
+        this.samlObject = samlObject;
+        this.samlDocument = samlDocument;
+    }
+
+    public SAML2Object getSamlObject() {
+        return samlObject;
+    }
+
+    public void setSamlObject(SAML2Object samlObject) {
+        this.samlObject = samlObject;
+    }
+
+    public Document getSamlDocument() {
+        return samlDocument;
+    }
+
+    public void setSamlDocument(Document samlDocument) {
+        this.samlDocument = samlDocument;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/constants/X500SAMLProfileConstants.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/constants/X500SAMLProfileConstants.java
new file mode 100755
index 0000000000..3712f534e5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/constants/X500SAMLProfileConstants.java
@@ -0,0 +1,154 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.constants;
+
+import java.util.EnumSet;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * X500 SAML Profile Constants Adapted from
+ * http://code.google.com/p/simplesamlphp/source/browse/trunk/attributemap/name2oid.php?r=2654
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Sep 11, 2009
+ */
+public enum X500SAMLProfileConstants {
+    A_RECORD("aRecord", "urn:oid:0.9.2342.19200300.100.1.26"), ALIASED_ENTRY_NAME("aliasedEntryName", "urn:oid:2.5.4.1"), ALIASED_OBJECT_NAME(
+            "aliasedObjectName", "urn:oid:2.5.4.1"), ASSOCIATED_DOMAIN("associatedDomain", "urn:oid:0.9.2342.19200300.100.1.37"), ASSOCIATED_NAME(
+            "associatedName", "urn:oid:0.9.2342.19200300.100.1.38"), AUDIO("audio", "urn:oid:0.9.2342.19200300.100.1.55"), AUTHORITY_REVOCATION_LIST(
+            "authorityRevocationList", "urn:oid:2.5.4.38"), BINDING_NAME("buildingName", "urn:oid:0.9.2342.19200300.100.1.48"), BUSINESS_CATEGORY(
+            "businessCategory", "urn:oid:2.5.4.15"), C("c", "urn:oid:2.5.4.6"), CA_CERTIFICATE("cACertificate",
+            "urn:oid:2.5.4.37"), CNAME_RECORD("cNAMERecord", "urn:oid:0.9.2342.19200300.100.1.31"), CAR_LICENSE("carLicense",
+            "urn:oid:2.16.840.1.113730.3.1.1"), CRL("certificateRevocationList", "urn:oid:2.5.4.39"), CN("cn",
+            "urn:oid:2.5.4.3"), CO("co", "urn:oid:0.9.2342.19200300.100.1.43"), COMMON_NAME("commonName", "urn:oid:2.5.4.3"), COUNTRY_NAME(
+            "countryName", "urn:oid:2.5.4.6"), CROSS_CERTIFICATE_PAIR("crossCertificatePair", "urn:oid:2.5.4.40"), D_IT_REDIRECT(
+            "dITRedirect", "urn:oid:0.9.2342.19200300.100.1.54"), D_SA_QUALITY("dSAQuality",
+            "urn:oid:0.9.2342.19200300.100.1.49"), DC("dc", "urn:oid:0.9.2342.19200300.100.1.25"), DELTA_REVOCATION_LIST(
+            "deltaRevocationList", "urn:oid:2.5.4.53"), DEPARTMENT_NUMBER("departmentNumber", "urn:oid:2.16.840.1.113730.3.1.2"), DESCRIPTION(
+            "description", "urn:oid:2.5.4.13"), DESTINATION_INDICATOR("destinationIndicator", "urn:oid:2.5.4.27"), DISPLAY_NAME(
+            "displayName", "urn:oid:2.16.840.1.113730.3.1.241"), DISTINGUISHED_NAME("distinguishedName", "urn:oid:2.5.4.49"), DMD_NAME(
+            "dmdName", "urn:oid:2.5.4.54"), DN_QUALIFIER("dnQualifier", "urn:oid:2.5.4.46"), DOCUMENT_AUTHOR("documentAuthor",
+            "urn:oid:0.9.2342.19200300.100.1.14"), DOCUMENT_IDENTIFIER("documentIdentifier",
+            "urn:oid:0.9.2342.19200300.100.1.11"), DOCUMENT_LOCATION("documentLocation", "urn:oid:0.9.2342.19200300.100.1.15"), DOCUMENT_PUBLISHER(
+            "documentPublisher", "urn:oid:0.9.2342.19200300.100.1.56"), DOCUMENT_TITLE("documentTitle",
+            "urn:oid:0.9.2342.19200300.100.1.12"), DOCUMENT_VERSION("documentVersion", "urn:oid:0.9.2342.19200300.100.1.13"), DOMAIN_COMPONENT(
+            "domainComponent", "urn:oid:0.9.2342.19200300.100.1.25"), DRINK("drink", "urn:oid:0.9.2342.19200300.100.1.5"), EDU_ORG_HOMEPAGEURI(
+            "eduOrgHomePageURI", "urn:oid:1.3.6.1.4.1.5923.1.2.1.2"), EDU_ORG_IDENTITY_AUTHN_POLICYURI(
+            "eduOrgIdentityAuthNPolicyURI", "urn:oid:1.3.6.1.4.1.5923.1.2.1.3"), EDU_ORG_LEGALNAME("eduOrgLegalName",
+            "urn:oid:1.3.6.1.4.1.5923.1.2.1.4"), EDU_ORG_SUPERIORURI("eduOrgSuperiorURI", "urn:oid:1.3.6.1.4.1.5923.1.2.1.5"), EDU_ORG_WHITEPAGESURI(
+            "eduOrgWhitePagesURI", "urn:oid:1.3.6.1.4.1.5923.1.2.1.6"), EDU_PERSON_AFFLIATION("eduPersonAffiliation",
+            "urn:oid:1.3.6.1.4.1.5923.1.1.1.1"), EDU_PERSON_ENTITLEMENT("eduPersonEntitlement",
+            "urn:oid:1.3.6.1.4.1.5923.1.1.1.7"), EDU_PERSON_NICKNAME("eduPersonNickname", "urn:oid:1.3.6.1.4.1.5923.1.1.1.2"), EDU_PERSON_ORG_DN(
+            "eduPersonOrgDN", "urn:oid:1.3.6.1.4.1.5923.1.1.1.3"), EDU_PERSION_ORG_UNIT_DN("eduPersonOrgUnitDN",
+            "urn:oid:1.3.6.1.4.1.5923.1.1.1.4"), EDU_PERSON_PRIMARY_AFFLIATION("eduPersonPrimaryAffiliation",
+            "urn:oid:1.3.6.1.4.1.5923.1.1.1.5"), EDU_PERSON_PRIMARY_ORG_UNIT_DN("eduPersonPrimaryOrgUnitDN",
+            "urn:oid:1.3.6.1.4.1.5923.1.1.1.8"), EDU_PERSON_PRINCIPAL_NAME("eduPersonPrincipalName",
+            "urn:oid:1.3.6.1.4.1.5923.1.1.1.6"), EDU_PERSON_SCOPED_AFFLIATION("eduPersonScopedAffiliation",
+            "urn:oid:1.3.6.1.4.1.5923.1.1.1.9"), EDU_PERSON_TARGETED_ID("eduPersonTargetedID",
+            "urn:oid:1.3.6.1.4.1.5923.1.1.1.10"), EMAIL("email", "urn:oid:1.2.840.113549.1.9.1"), EMAIL_ADDRESS("emailAddress",
+            "urn:oid:1.2.840.113549.1.9.1"), EMPLOYEE_NUMBER("employeeNumber", "urn:oid:2.16.840.1.113730.3.1.3"), EMPLOYEE_TYPE(
+            "employeeType", "urn:oid:2.16.840.1.113730.3.1.4"), ENHANCED_SEARCH_GUIDE("enhancedSearchGuide", "urn:oid:2.5.4.47"), FAX_TELEPHONE_NUMBER(
+            "facsimileTelephoneNumber", "urn:oid:2.5.4.23"), FAVORITE_DRINK("favouriteDrink",
+            "urn:oid:0.9.2342.19200300.100.1.5"), FAX("fax", "urn:oid:2.5.4.23"), FEDERATION_FEIDE_SCHEMA_VERSION(
+            "federationFeideSchemaVersion", "urn:oid:1.3.6.1.4.1.2428.90.1.9"), FRIENDLY_COUNTRY_NAME("friendlyCountryName",
+            "urn:oid:0.9.2342.19200300.100.1.43"), GENERATION_QUALIFIER("generationQualifier", "urn:oid:2.5.4.44"), GIVEN_NAME(
+            "givenName", "urn:oid:2.5.4.42"), GN("gn", "urn:oid:2.5.4.42"), HOME_PHONE("homePhone",
+            "urn:oid:0.9.2342.19200300.100.1.20"), HOME_POSTAL_ADDRESS("homePostalAddress",
+            "urn:oid:0.9.2342.19200300.100.1.39"), HOME_TELEPHONE_NUMBER("homeTelephoneNumber",
+            "urn:oid:0.9.2342.19200300.100.1.20"), HOST("host", "urn:oid:0.9.2342.19200300.100.1.9"), HOUSE_IDENTIFIER(
+            "houseIdentifier", "urn:oid:2.5.4.51"), INFO("info", "urn:oid:0.9.2342.19200300.100.1.4"), INITIALS("initials",
+            "urn:oid:2.5.4.43"), INTERNATIONAL_ISDN_NUMBER("internationaliSDNNumber", "urn:oid:2.5.4.25"), IS_MEMBEROF(
+            "isMemberOf", "urn:oid:1.3.6.1.4.1.5923.1.5.1.1"), JANET_MAILBOX("janetMailbox",
+            "urn:oid:0.9.2342.19200300.100.1.46"), JPEG_PHOTO("jpegPhoto", "urn:oid:0.9.2342.19200300.100.1.60"), KNOWLEDGE_INFORMATION(
+            "knowledgeInformation", "urn:oid:2.5.4.2"), L("l", "urn:oid:2.5.4.7"), LABELED_URI("labeledURI",
+            "urn:oid:1.3.6.1.4.1.250.1.57"), LOCALITY_NAME("localityName", "urn:oid:2.5.4.7"), M_DRECORD("mDRecord",
+            "urn:oid:0.9.2342.19200300.100.1.27"), M_XRECORD("mXRecord", "urn:oid:0.9.2342.19200300.100.1.28"), MAIL("mail",
+            "urn:oid:0.9.2342.19200300.100.1.3"), MAIL_PREFERENCEOPTION("mailPreferenceOption",
+            "urn:oid:0.9.2342.19200300.100.1.47"), MANAGER("manager", "urn:oid:0.9.2342.19200300.100.1.10"), MEMBER("member",
+            "urn:oid:2.5.4.31"), MOBILE("mobile", "urn:oid:0.9.2342.19200300.100.1.41"), MOBILE_TELEPHONE_NUMBER(
+            "mobileTelephoneNumber", "urn:oid:0.9.2342.19200300.100.1.41"), N_SRECORD("nSRecord",
+            "urn:oid:0.9.2342.19200300.100.1.29"), NAME("name", "urn:oid:2.5.4.41"), NOR_EDU_ORG_ACRONYM("norEduOrgAcronym",
+            "urn:oid:1.3.6.1.4.1.2428.90.1.6"), NOR_EDU_ORG_NIN("norEduOrgNIN", "urn:oid:1.3.6.1.4.1.2428.90.1.12"), NOR_EDU_ORG_SCHEMA_VERSION(
+            "norEduOrgSchemaVersion", "urn:oid:1.3.6.1.4.1.2428.90.1.11"), NOR_EDU_ORG_UNIQUE_IDENTIFIER(
+            "norEduOrgUniqueIdentifier", "urn:oid:1.3.6.1.4.1.2428.90.1.7"), NOR_EDU_ORG_UNIQUE_NUMBER("norEduOrgUniqueNumber",
+            "urn:oid:1.3.6.1.4.1.2428.90.1.1"), NOR_EDU_ORG_UNIT_UNIQUE_IDENTIFIER("norEduOrgUnitUniqueIdentifier",
+            "urn:oid:1.3.6.1.4.1.2428.90.1.8"), NOR_EDU_ORG_UNIT_UNIQUE_NUMBER("norEduOrgUnitUniqueNumber",
+            "urn:oid:1.3.6.1.4.1.2428.90.1.2"), NOR_EDU_PERSON_BIRTH_DATE("norEduPersonBirthDate",
+            "urn:oid:1.3.6.1.4.1.2428.90.1.3"), NOR_EDU_PERSON_LIN("norEduPersonLIN", "urn:oid:1.3.6.1.4.1.2428.90.1.4"), NOR_EDU_PERSON_NIN(
+            "norEduPersonNIN", "urn:oid:1.3.6.1.4.1.2428.90.1.5"), O("o", "urn:oid:2.5.4.10"), OBJECT_CLASS("objectClass",
+            "urn:oid:2.5.4.0"), ORGANIZATION_NAME("organizationName", "urn:oid:2.5.4.10"), ORGANIZATIONAL_STATUS(
+            "organizationalStatus", "urn:oid:0.9.2342.19200300.100.1.45"), ORGANIZATIONAL_UNIT_NAME("organizationalUnitName",
+            "urn:oid:2.5.4.11"), OTHER_MAIL_BOX("otherMailbox", "urn:oid:0.9.2342.19200300.100.1.22"), OU("ou",
+            "urn:oid:2.5.4.11"), OWNER("owner", "urn:oid:2.5.4.32"), PAGER("pager", "urn:oid:0.9.2342.19200300.100.1.42"), PAGER_TELEPHONE_NUMBER(
+            "pagerTelephoneNumber", "urn:oid:0.9.2342.19200300.100.1.42"), PERSONAL_SIGNATURE("personalSignature",
+            "urn:oid:0.9.2342.19200300.100.1.53"), PERSONAL_TITLE("personalTitle", "urn:oid:0.9.2342.19200300.100.1.40"), PHOTO(
+            "photo", "urn:oid:0.9.2342.19200300.100.1.7"), PHYSICAL_DELIVERY_OFFICE_NAME("physicalDeliveryOfficeName",
+            "urn:oid:2.5.4.19"), PKCS_9_EMAIL("pkcs9email", "urn:oid:1.2.840.113549.1.9.1"), POST_OFFICE_BOX("postOfficeBox",
+            "urn:oid:2.5.4.18"), POSTAL_ADDRESS("postalAddress", "urn:oid:2.5.4.16"), POSTAL_CODE("postalCode",
+            "urn:oid:2.5.4.17"), PREFERRED_DELIVERY_METHOD("preferredDeliveryMethod", "urn:oid:2.5.4.28"), PREFERRED_LANGUAGE(
+            "preferredLanguage", "urn:oid:2.16.840.1.113730.3.1.39"), PRESENTATION_ADDRESS("presentationAddress",
+            "urn:oid:2.5.4.29"), PROTOCOL_INFORMATION("protocolInformation", "urn:oid:2.5.4.48"), PSEUDONYM("pseudonym",
+            "urn:oid:2.5.4.65"), REGISTERED_ADDRESS("registeredAddress", "urn:oid:2.5.4.26"), RFC_822_MAILBOX("rfc822Mailbox",
+            "urn:oid:0.9.2342.19200300.100.1.3"), ROLE_OCCUPANT("roleOccupant", "urn:oid:2.5.4.33"), ROOM_NUMBER("roomNumber",
+            "urn:oid:0.9.2342.19200300.100.1.6"), S_OAR_RECORD("sOARecord", "urn:oid:0.9.2342.19200300.100.1.30"), SEARCH_GUIDE(
+            "searchGuide", "urn:oid:2.5.4.14"), SECRETARY("secretary", "urn:oid:0.9.2342.19200300.100.1.21"), SEE_ALSO(
+            "seeAlso", "urn:oid:2.5.4.34"), SERIAL_NUMBER("serialNumber", "urn:oid:2.5.4.5"), SINGLE_LEVEL_QUALITY(
+            "singleLevelQuality", "urn:oid:0.9.2342.19200300.100.1.50"), SN("sn", "urn:oid:2.5.4.4"), ST("st",
+            "urn:oid:2.5.4.8"), STATE_OR_PROVINCE_NAME("stateOrProvinceName", "urn:oid:2.5.4.8"), STREET("street",
+            "urn:oid:2.5.4.9"), STREET_ADDRESS("streetAddress", "urn:oid:2.5.4.9"), SUBTREE_MAXIMUM_QUALITY(
+            "subtreeMaximumQuality", "urn:oid:0.9.2342.19200300.100.1.52"), SUBTREE_MINIMUM_QUALITY("subtreeMinimumQuality",
+            "urn:oid:0.9.2342.19200300.100.1.51"), SUPPORTED_ALGORITHMS("supportedAlgorithms", "urn:oid:2.5.4.52"), SUPPORTED_APPLICATION_CONTEXT(
+            "supportedApplicationContext", "urn:oid:2.5.4.30"), SURNAME("surname", "urn:oid:2.5.4.4"), TELEPHONE_NUMBER(
+            "telephoneNumber", "urn:oid:2.5.4.20"), TELETEX_TERMINAL_IDENTIFIER("teletexTerminalIdentifier", "urn:oid:2.5.4.22"), TELEX_NUMBER(
+            "telexNumber", "urn:oid:2.5.4.21"), TEXT_ENCODED_OR_ADDRESS("textEncodedORAddress",
+            "urn:oid:0.9.2342.19200300.100.1.2"), TITLE("title", "urn:oid:2.5.4.12"), UID("uid",
+            "urn:oid:0.9.2342.19200300.100.1.1"), UNIQUE_IDENTIFIER("uniqueIdentifier", "urn:oid:0.9.2342.19200300.100.1.44"), UNIQUE_MEMBER(
+            "uniqueMember", "urn:oid:2.5.4.50"), USER_CERTIFICATE("userCertificate", "urn:oid:2.5.4.36"), USER_CLASS(
+            "userClass", "urn:oid:0.9.2342.19200300.100.1.8"), USER_PKCS12("userPKCS12", "urn:oid:2.16.840.1.113730.3.1.216"), USER_PASSWORD(
+            "userPassword", "urn:oid:2.5.4.35"), USER_SMIME_CERTIFICATE("userSMIMECertificate",
+            "urn:oid:2.16.840.1.113730.3.1.40"), USERID("userid", "urn:oid:0.9.2342.19200300.100.1.1"), X121_ADDRESS(
+            "x121Address", "urn:oid:2.5.4.24"), X500_UNIQUE_IDENTIFIER("x500UniqueIdentifier", "urn:oid:2.5.4.45");
+
+    private String friendlyName = null;
+    private String uri = null;
+
+    private static final Map<String, String> lookup = new HashMap<String, String>();
+
+    static {
+        for (X500SAMLProfileConstants s : EnumSet.allOf(X500SAMLProfileConstants.class))
+            lookup.put(s.friendlyName, s.uri);
+    }
+
+    private X500SAMLProfileConstants(String friendlyName, String uristr) {
+        this.uri = uristr;
+        this.friendlyName = friendlyName;
+    }
+
+    public String get() {
+        return this.uri;
+    }
+
+    public String getFriendlyName() {
+        return friendlyName;
+    }
+
+    public static String getOID(final String key) {
+        return lookup.get(key);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java
new file mode 100755
index 0000000000..ce40812f87
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/JBossSAMLAuthnResponseFactory.java
@@ -0,0 +1,217 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.factories;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
+import org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.StatementAbstractType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType.RTChoiceType;
+import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
+import org.keycloak.dom.saml.v2.protocol.StatusType;
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.net.URI;
+import java.util.List;
+
+/**
+ * Factory for the SAML v2 Authn Response
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 9, 2008
+ */
+public class JBossSAMLAuthnResponseFactory {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Create a StatusType given the status code uri
+     *
+     * @param statusCodeURI
+     *
+     * @return
+     */
+    public static StatusType createStatusType(String statusCodeURI) {
+        StatusCodeType sct = new StatusCodeType();
+        sct.setValue(URI.create(statusCodeURI));
+
+        StatusType statusType = new StatusType();
+        statusType.setStatusCode(sct);
+        return statusType;
+    }
+
+    /**
+     * <p>Create a <code>StatusType</code> with a top-level <code>org.picketlink.common.constants.JBossSAMLURIConstants.STATUS_RESPONDER</code>
+     * and a second-level code reflecting the given <code>statusCodeURI</code>.</p>
+     *
+     * @param statusCodeURI The second-level code.
+     *
+     * @return
+     */
+    public static StatusType createStatusTypeForResponder(String statusCodeURI) {
+        StatusCodeType topLevelCode = new StatusCodeType();
+
+        topLevelCode.setValue(URI.create(JBossSAMLURIConstants.STATUS_RESPONDER.get()));
+
+        StatusCodeType secondLevelCode = new StatusCodeType();
+
+        secondLevelCode.setValue(URI.create(statusCodeURI));
+
+        topLevelCode.setStatusCode(secondLevelCode);
+
+        StatusType statusType = new StatusType();
+
+        statusType.setStatusCode(topLevelCode);
+
+        return statusType;
+    }
+
+    /**
+     * Create a ResponseType
+     *
+     * @param ID id of the response
+     * @param sp holder with the information about the Service Provider
+     * @param idp holder with the information on the Identity Provider
+     * @param issuerInfo holder with information on the issuer
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static ResponseType createResponseType(String ID, SPInfoHolder sp, IDPInfoHolder idp, IssuerInfoHolder issuerInfo)
+            throws ConfigurationException {
+        String responseDestinationURI = sp.getResponseDestinationURI();
+
+        XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
+
+        // Create an assertion
+        String id = IDGenerator.create("ID_");
+
+        // Create assertion -> subject
+        SubjectType subjectType = new SubjectType();
+
+        // subject -> nameid
+        NameIDType nameIDType = new NameIDType();
+        nameIDType.setFormat(URI.create(idp.getNameIDFormat()));
+        nameIDType.setValue(idp.getNameIDFormatValue());
+
+        SubjectType.STSubType subType = new SubjectType.STSubType();
+        subType.addBaseID(nameIDType);
+        subjectType.setSubType(subType);
+
+        SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType();
+        subjectConfirmation.setMethod(idp.getSubjectConfirmationMethod());
+
+        SubjectConfirmationDataType subjectConfirmationData = new SubjectConfirmationDataType();
+        subjectConfirmationData.setInResponseTo(sp.getRequestID());
+        subjectConfirmationData.setRecipient(responseDestinationURI);
+        //subjectConfirmationData.setNotBefore(issueInstant);
+        subjectConfirmationData.setNotOnOrAfter(issueInstant);
+
+        subjectConfirmation.setSubjectConfirmationData(subjectConfirmationData);
+
+        subjectType.addConfirmation(subjectConfirmation);
+
+        AssertionType assertionType = SAMLAssertionFactory.createAssertion(id, nameIDType, issueInstant, (ConditionsType) null,
+                subjectType, (List<StatementAbstractType>) null);
+
+        ResponseType responseType = createResponseType(ID, issuerInfo, assertionType);
+        // InResponseTo ID
+        responseType.setInResponseTo(sp.getRequestID());
+        // Destination
+        responseType.setDestination(responseDestinationURI);
+
+        return responseType;
+    }
+
+    /**
+     * Create a Response Type
+     *
+     * @param ID
+     * @param issuerInfo
+     * @param assertionType
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static ResponseType createResponseType(String ID, IssuerInfoHolder issuerInfo, AssertionType assertionType)
+            throws ConfigurationException {
+        XMLGregorianCalendar issueInstant = XMLTimeUtil.getIssueInstant();
+        ResponseType responseType = new ResponseType(ID, issueInstant);
+
+        // Issuer
+        NameIDType issuer = issuerInfo.getIssuer();
+        responseType.setIssuer(issuer);
+
+        // Status
+        String statusCode = issuerInfo.getStatusCode();
+        if (statusCode == null)
+            throw logger.issuerInfoMissingStatusCodeError();
+
+        responseType.setStatus(createStatusType(statusCode));
+
+        responseType.addAssertion(new RTChoiceType(assertionType));
+        return responseType;
+    }
+
+    /**
+     * Create a Response Type
+     *
+     * @param ID
+     * @param issuerInfo
+     * @param encryptedAssertion a DOM {@link Element} that represents an encrypted assertion
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static ResponseType createResponseType(String ID, IssuerInfoHolder issuerInfo, Element encryptedAssertion)
+            throws ConfigurationException {
+        ResponseType responseType = new ResponseType(ID, XMLTimeUtil.getIssueInstant());
+
+        // Issuer
+        NameIDType issuer = issuerInfo.getIssuer();
+        responseType.setIssuer(issuer);
+
+        // Status
+        String statusCode = issuerInfo.getStatusCode();
+        if (statusCode == null)
+            throw logger.issuerInfoMissingStatusCodeError();
+
+        responseType.setStatus(createStatusType(statusCode));
+
+        responseType.addAssertion(new RTChoiceType(new EncryptedAssertionType(encryptedAssertion)));
+        return responseType;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/SAMLAssertionFactory.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/SAMLAssertionFactory.java
new file mode 100755
index 0000000000..3201b8a1d2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/SAMLAssertionFactory.java
@@ -0,0 +1,197 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.factories;
+
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
+import org.keycloak.dom.saml.v2.assertion.ConditionAbstractType;
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.assertion.KeyInfoConfirmationDataType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.StatementAbstractType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.net.URI;
+import java.util.List;
+
+/**
+ * Deal with {@code AssertionType}
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 28, 2009
+ */
+public class SAMLAssertionFactory {
+
+    /**
+     * <p>
+     * Creates an {@code AudienceRestrictionType} with the specified values.
+     * </p>
+     *
+     * @param values a {@code String[]} containing the restriction values.
+     *
+     * @return the constructed {@code AudienceRestrictionType} instance.
+     */
+    public static AudienceRestrictionType createAudienceRestriction(String... values) {
+        AudienceRestrictionType audienceRestriction = new AudienceRestrictionType();
+        if (values != null) {
+            for (String val : values) {
+                audienceRestriction.addAudience(URI.create(val));
+            }
+        }
+        return audienceRestriction;
+    }
+
+    /**
+     * <p>
+     * Creates a {@code NameIDType} instance with the specified values.
+     * </p>
+     *
+     * @param format a {@code String} representing the name format.
+     * @param qualifier a {@code String} representing the name qualifier.
+     * @param value a {@code String} representing the name value.
+     *
+     * @return the constructed {@code NameIDType} instance.
+     */
+    public static NameIDType createNameID(String format, String qualifier, String value) {
+        NameIDType nameID = new NameIDType();
+        if (format != null)
+            nameID.setFormat(URI.create(format));
+        nameID.setNameQualifier(qualifier);
+        nameID.setValue(value);
+        return nameID;
+    }
+
+    /**
+     * <p>
+     * Creates a {@code Conditions} instance with the specified values.
+     * </p>
+     *
+     * @param notBefore a {@code XMLGregorianCalendar} representing the start of the token lifetime period.
+     * @param notOnOrAfter a {@code XMLGregorianCalendar} representing the end of the token lifetime period.
+     * @param restrictions an array containing the applicable restrictions.
+     *
+     * @return the constructed {@code Conditions} instance.
+     */
+    public static ConditionsType createConditions(XMLGregorianCalendar notBefore, XMLGregorianCalendar notOnOrAfter,
+                                                  ConditionAbstractType... restrictions) {
+        ConditionsType conditions = new ConditionsType();
+        conditions.setNotBefore(notBefore);
+        conditions.setNotOnOrAfter(notOnOrAfter);
+        if (restrictions != null) {
+            for (ConditionAbstractType condition : restrictions) {
+                conditions.addCondition(condition);
+            }
+
+        }
+        return conditions;
+    }
+
+    /**
+     * <p>
+     * Creates a {@code KeyInfoConfirmationDataType} with the specified {@code KeyInfoType}.
+     * </p>
+     *
+     * @param keyInfo the {@code KeyInfoType} object that wraps the proof-of-possession token.
+     *
+     * @return the constructed {@code KeyInfoConfirmationDataType} instance.
+     */
+    public static KeyInfoConfirmationDataType createKeyInfoConfirmation(KeyInfoType keyInfo) {
+        KeyInfoConfirmationDataType type = new KeyInfoConfirmationDataType();
+        type.setAnyType(keyInfo);
+        return type;
+    }
+
+    /**
+     * <p>
+     * Creates a {@code SubjectConfirmationType} object with the specified values.
+     * </p>
+     *
+     * @param nameID the identifier of the confirmation.
+     * @param confirmationMethod a {@code String} representing the confirmation method.
+     * @param keyInfoData the {@code KeyInfoConfirmationDataType} instance that contains the proof of possession key.
+     *
+     * @return the constructed {@code SubjectConfirmationType} instance.
+     */
+    public static SubjectConfirmationType createSubjectConfirmation(NameIDType nameID, String confirmationMethod,
+                                                                    KeyInfoConfirmationDataType keyInfoData) {
+        SubjectConfirmationType subjectConfirmation = new SubjectConfirmationType();
+        subjectConfirmation.setNameID(nameID);
+        subjectConfirmation.setMethod(confirmationMethod);
+        subjectConfirmation.setSubjectConfirmationData(keyInfoData);
+        return subjectConfirmation;
+    }
+
+    /**
+     * <p>
+     * Creates a {@code SubjectType} object with the specified values.
+     * </p>
+     *
+     * @param nameID the identifier of the subject.
+     * @param confirmation the {@code SubjectConfirmationType} that is used to establish the correspondence between the
+     * subject
+     * and claims of SAML statements.
+     *
+     * @return the constructed {@code SubjectType} instance.
+     */
+    public static SubjectType createSubject(NameIDType nameID, SubjectConfirmationType confirmation) {
+        SubjectType subject = new SubjectType();
+        if (nameID != null) {
+            SubjectType.STSubType subType = new SubjectType.STSubType();
+            subType.addConfirmation(confirmation);
+            subType.addBaseID(nameID);
+            subject.setSubType(subType);
+        }
+        return subject;
+    }
+
+    /**
+     * <p>
+     * Creates a SAMLV2 {@code AssertionType} with the specified values.
+     * </p>
+     *
+     * @param id a {@code String} representing the assertion ID.
+     * @param issuerID a {@code NameIDType} that identifies the assertion issuer.
+     * @param issueInstant the assertion time of creation.
+     * @param conditions the {@code ConditionsType} that specify the conditions under which the assertion is to be
+     * considered
+     * valid
+     * @param subject the {@code SubjectType} that identifies the authenticated principal.
+     * @param statements a list of statements associated with the authenticated principal.
+     *
+     * @return
+     */
+    public static AssertionType createAssertion(String id, NameIDType issuerID, XMLGregorianCalendar issueInstant,
+                                                ConditionsType conditions, SubjectType subject, List<StatementAbstractType> statements) {
+        AssertionType assertion = new AssertionType(id, issueInstant);
+        assertion.setIssuer(issuerID);
+        if (conditions != null)
+            assertion.setConditions(conditions);
+        if (subject != null)
+            assertion.setSubject(subject);
+
+        if (statements != null) {
+            for (StatementAbstractType statement : statements) {
+                assertion.addStatement(statement);
+            }
+        }
+        return assertion;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/SecurityActions.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/SecurityActions.java
new file mode 100755
index 0000000000..5835c75374
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/factories/SecurityActions.java
@@ -0,0 +1,126 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.factories;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Privileged Blocks
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 9, 2008
+ */
+class SecurityActions {
+
+    /**
+     * <p>
+     * Loads a {@link Class} using the <code>fullQualifiedName</code> supplied. This method tries first to load from
+     * the
+     * specified {@link Class}, if not found it will try to load from using TCL.
+     * </p>
+     *
+     * @param theClass
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final Class<?> theClass, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    ClassLoader classLoader = theClass.getClassLoader();
+
+                    Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+                    if (clazz == null) {
+                        classLoader = Thread.currentThread().getContextClassLoader();
+                        clazz = loadClass(classLoader, fullQualifiedName);
+                    }
+                    return clazz;
+                }
+            });
+        } else {
+            ClassLoader classLoader = theClass.getClassLoader();
+
+            Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+            if (clazz == null) {
+                classLoader = Thread.currentThread().getContextClassLoader();
+                clazz = loadClass(classLoader, fullQualifiedName);
+            }
+            return clazz;
+        }
+    }
+
+    /**
+     * <p>
+     * Loads a class from the specified {@link ClassLoader} using the <code>fullQualifiedName</code> supplied.
+     * </p>
+     *
+     * @param classLoader
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final ClassLoader classLoader, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    try {
+                        return classLoader.loadClass(fullQualifiedName);
+                    } catch (ClassNotFoundException e) {
+                    }
+                    return null;
+                }
+            });
+        } else {
+            try {
+                return classLoader.loadClass(fullQualifiedName);
+            } catch (ClassNotFoundException e) {
+            }
+            return null;
+        }
+    }
+
+    /**
+     * <p>Returns a system property value using the specified <code>key</code>. If not found the
+     * <code>defaultValue</code> will be returned.</p>
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static String getSystemProperty(final String key, final String defaultValue) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<String>() {
+                public String run() {
+                    return System.getProperty(key, defaultValue);
+                }
+            });
+        } else {
+            return System.getProperty(key, defaultValue);
+        }
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/DestinationInfoHolder.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/DestinationInfoHolder.java
new file mode 100755
index 0000000000..9bc56ded4f
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/DestinationInfoHolder.java
@@ -0,0 +1,56 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.holders;
+
+/**
+ * Holder containing the information about a destination
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jul 24, 2009
+ */
+public class DestinationInfoHolder {
+
+    private String destination;
+    private String samlMessage;
+    private String relayState;
+
+    /**
+     * Create an holder
+     *
+     * @param destination The destination where the post will be sent
+     * @param samlMessage SAML Message
+     * @param relayState
+     */
+    public DestinationInfoHolder(String destination, String samlMessage, String relayState) {
+        this.destination = destination;
+        this.samlMessage = samlMessage;
+        this.relayState = relayState;
+    }
+
+    public String getDestination() {
+        return destination;
+    }
+
+    public String getSamlMessage() {
+        return samlMessage;
+    }
+
+    public String getRelayState() {
+        return relayState;
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/IDPInfoHolder.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/IDPInfoHolder.java
new file mode 100755
index 0000000000..89d3d1c25b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/IDPInfoHolder.java
@@ -0,0 +1,78 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.holders;
+
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+
+/**
+ * Holds essential information about an IDP for creating saml messages.
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 10, 2008
+ */
+public class IDPInfoHolder {
+
+    private String subjectConfirmationMethod = JBossSAMLURIConstants.SUBJECT_CONFIRMATION_BEARER.get();
+    private String nameIDFormat = JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get();
+    private String nameIDFormatValue;
+
+    private AssertionType assertion;
+
+    private int assertionValidityDuration = 5; // 5 Minutes
+
+    public int getAssertionValidityDuration() {
+        return assertionValidityDuration;
+    }
+
+    public void setAssertionValidityDuration(int assertionValidityDuration) {
+        this.assertionValidityDuration = assertionValidityDuration;
+    }
+
+    public String getSubjectConfirmationMethod() {
+        return subjectConfirmationMethod;
+    }
+
+    public void setSubjectConfirmationMethod(String subjectConfirmationMethod) {
+        this.subjectConfirmationMethod = subjectConfirmationMethod;
+    }
+
+    public String getNameIDFormat() {
+        return nameIDFormat;
+    }
+
+    public void setNameIDFormat(String nameIDFormat) {
+        this.nameIDFormat = nameIDFormat;
+    }
+
+    public String getNameIDFormatValue() {
+        return nameIDFormatValue;
+    }
+
+    public void setNameIDFormatValue(String nameIDFormatValue) {
+        this.nameIDFormatValue = nameIDFormatValue;
+    }
+
+    public AssertionType getAssertion() {
+        return assertion;
+    }
+
+    public void setAssertion(AssertionType assertion) {
+        this.assertion = assertion;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/IssuerInfoHolder.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/IssuerInfoHolder.java
new file mode 100755
index 0000000000..ccb5794612
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/IssuerInfoHolder.java
@@ -0,0 +1,80 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.holders;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+
+/**
+ * Holds info about the issuer for saml messages creation
+ *
+ * @param <JBossSAMLConstants>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 10, 2008
+ */
+public class IssuerInfoHolder {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private NameIDType issuer;
+
+    private String statusCodeURI = JBossSAMLURIConstants.STATUS_SUCCESS.get();
+
+    private String samlVersion = JBossSAMLConstants.VERSION_2_0.get();
+
+    public IssuerInfoHolder(NameIDType issuer) {
+        if (issuer == null)
+            throw logger.nullArgumentError("issuer");
+        this.issuer = issuer;
+    }
+
+    public IssuerInfoHolder(String issuerAsString) {
+        if (issuerAsString == null)
+            throw logger.nullArgumentError("issuerAsString");
+        issuer = new NameIDType();
+        issuer.setValue(issuerAsString);
+    }
+
+    public NameIDType getIssuer() {
+        return issuer;
+    }
+
+    public void setIssuer(NameIDType issuer) {
+        this.issuer = issuer;
+    }
+
+    public String getStatusCode() {
+        return statusCodeURI;
+    }
+
+    public void setStatusCode(String statusCode) {
+        this.statusCodeURI = statusCode;
+    }
+
+    public String getSamlVersion() {
+        return samlVersion;
+    }
+
+    public void setSamlVersion(String samlVersion) {
+        this.samlVersion = samlVersion;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/SPInfoHolder.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/SPInfoHolder.java
new file mode 100755
index 0000000000..c9ca5c3415
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/SPInfoHolder.java
@@ -0,0 +1,60 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.holders;
+
+/**
+ * <p>
+ * Holds the information about a Service Provider
+ * </p>
+ * <p>
+ * This holder is useful in generating saml messages
+ * </p>
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 10, 2008
+ */
+public class SPInfoHolder {
+
+    private String requestID;
+    private String responseDestinationURI;
+    private String issuer;
+
+    public String getRequestID() {
+        return requestID;
+    }
+
+    public void setRequestID(String requestID) {
+        this.requestID = requestID;
+    }
+
+    public String getResponseDestinationURI() {
+        return responseDestinationURI;
+    }
+
+    public void setResponseDestinationURI(String responseDestinationURI) {
+        this.responseDestinationURI = responseDestinationURI;
+    }
+
+    public String getIssuer() {
+        return issuer;
+    }
+
+    public void setIssuer(String issuer) {
+        this.issuer = issuer;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/SignatureInfoHolder.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/SignatureInfoHolder.java
new file mode 100755
index 0000000000..545d2a5b3a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/holders/SignatureInfoHolder.java
@@ -0,0 +1,45 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.holders;
+
+/**
+ * Holds information about signature
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jul 24, 2009
+ */
+public class SignatureInfoHolder {
+
+    private byte[] signatureValue;
+
+    private String sigAlg;
+
+    public SignatureInfoHolder(byte[] signatureValue, String sigAlg) {
+        super();
+        this.signatureValue = signatureValue;
+        this.sigAlg = sigAlg;
+    }
+
+    public byte[] getSignatureValue() {
+        return signatureValue;
+    }
+
+    public String getSigAlg() {
+        return sigAlg;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/AssertionUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/AssertionUtil.java
new file mode 100755
index 0000000000..0f6f5ed0c8
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/AssertionUtil.java
@@ -0,0 +1,513 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.saml.processing.core.saml.v2.util;
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.exceptions.fed.IssueInstantMissingException;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
+import org.keycloak.saml.processing.core.saml.v2.writers.SAMLAssertionWriter;
+import org.keycloak.dom.saml.v1.assertion.SAML11AssertionType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeStatementType;
+import org.keycloak.dom.saml.v1.assertion.SAML11AttributeType;
+import org.keycloak.dom.saml.v1.assertion.SAML11ConditionsType;
+import org.keycloak.dom.saml.v1.assertion.SAML11StatementAbstractType;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.StatementAbstractType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType.STSubType;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.security.PublicKey;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+
+/**
+ * Utility to deal with assertions
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 3, 2009
+ */
+public class AssertionUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Given {@code AssertionType}, convert it into a String
+     *
+     * @param assertion
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public static String asString(AssertionType assertion) throws ProcessingException {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        SAMLAssertionWriter writer = new SAMLAssertionWriter(StaxUtil.getXMLStreamWriter(baos));
+        writer.write(assertion);
+        return new String(baos.toByteArray());
+    }
+
+    /**
+     * Given {@code AssertionType}, convert it into a DOM Document.
+     *
+     * @param assertion
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public static Document asDocument(AssertionType assertion) throws ProcessingException {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        SAMLAssertionWriter writer = new SAMLAssertionWriter(StaxUtil.getXMLStreamWriter(baos));
+
+        writer.write(assertion);
+
+        try {
+            return DocumentUtil.getDocument(new ByteArrayInputStream(baos.toByteArray()));
+        } catch (Exception e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Create an assertion
+     *
+     * @param id
+     * @param issuer
+     *
+     * @return
+     */
+    public static SAML11AssertionType createSAML11Assertion(String id, XMLGregorianCalendar issueInstant, String issuer) {
+        SAML11AssertionType assertion = new SAML11AssertionType(id, issueInstant);
+        assertion.setIssuer(issuer);
+        return assertion;
+    }
+
+    /**
+     * Create an assertion
+     *
+     * @param id
+     * @param issuer
+     *
+     * @return
+     */
+    public static AssertionType createAssertion(String id, NameIDType issuer) {
+        XMLGregorianCalendar issueInstant = null;
+        try {
+            issueInstant = XMLTimeUtil.getIssueInstant();
+        } catch (ConfigurationException e) {
+            throw new RuntimeException(e);
+        }
+        AssertionType assertion = new AssertionType(id, issueInstant);
+        assertion.setIssuer(issuer);
+        return assertion;
+    }
+
+    /**
+     * Given a user name, create a {@code SubjectType} that can then be inserted into an assertion
+     *
+     * @param userName
+     *
+     * @return
+     */
+    public static SubjectType createAssertionSubject(String userName) {
+        SubjectType assertionSubject = new SubjectType();
+        STSubType subType = new STSubType();
+        NameIDType anil = new NameIDType();
+        anil.setValue(userName);
+        subType.addBaseID(anil);
+        assertionSubject.setSubType(subType);
+        return assertionSubject;
+    }
+
+    /**
+     * Create an attribute type
+     *
+     * @param name Name of the attribute
+     * @param nameFormat name format uri
+     * @param attributeValues an object array of attribute values
+     *
+     * @return
+     */
+    public static AttributeType createAttribute(String name, String nameFormat, Object... attributeValues) {
+        AttributeType att = new AttributeType(name);
+        att.setNameFormat(nameFormat);
+        if (attributeValues != null && attributeValues.length > 0) {
+            for (Object attributeValue : attributeValues) {
+                att.addAttributeValue(attributeValue);
+            }
+        }
+
+        return att;
+    }
+
+    /**
+     * <p>
+     * Add validity conditions to the SAML2 Assertion
+     * </p>
+     * <p>
+     * There is no clock skew added.
+     *
+     * @param assertion
+     * @param durationInMilis
+     *
+     * @throws ConfigurationException
+     * @throws IssueInstantMissingException
+     * @see {{@link #createTimedConditions(AssertionType, long, long)}
+     *      </p>
+     */
+    public static void createTimedConditions(AssertionType assertion, long durationInMilis) throws ConfigurationException,
+            IssueInstantMissingException {
+        XMLGregorianCalendar issueInstant = assertion.getIssueInstant();
+        if (issueInstant == null)
+            throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT);
+        XMLGregorianCalendar assertionValidityLength = XMLTimeUtil.add(issueInstant, durationInMilis);
+        ConditionsType conditionsType = new ConditionsType();
+        conditionsType.setNotBefore(issueInstant);
+        conditionsType.setNotOnOrAfter(assertionValidityLength);
+
+        assertion.setConditions(conditionsType);
+    }
+
+    /**
+     * Add validity conditions to the SAML2 Assertion
+     *
+     * @param assertion
+     * @param durationInMilis
+     *
+     * @throws ConfigurationException
+     * @throws IssueInstantMissingException
+     */
+    public static void createTimedConditions(AssertionType assertion, long durationInMilis, long clockSkew)
+            throws ConfigurationException, IssueInstantMissingException {
+        XMLGregorianCalendar issueInstant = assertion.getIssueInstant();
+        if (issueInstant == null)
+            throw logger.samlIssueInstantMissingError();
+        XMLGregorianCalendar assertionValidityLength = XMLTimeUtil.add(issueInstant, durationInMilis + clockSkew);
+
+        ConditionsType conditionsType = new ConditionsType();
+
+        XMLGregorianCalendar beforeInstant = XMLTimeUtil.subtract(issueInstant, clockSkew);
+
+        conditionsType.setNotBefore(beforeInstant);
+        conditionsType.setNotOnOrAfter(assertionValidityLength);
+
+        assertion.setConditions(conditionsType);
+    }
+
+    /**
+     * Add validity conditions to the SAML2 Assertion
+     *
+     * @param assertion
+     * @param durationInMilis
+     *
+     * @throws ConfigurationException
+     * @throws IssueInstantMissingException
+     */
+    public static void createSAML11TimedConditions(SAML11AssertionType assertion, long durationInMilis, long clockSkew)
+            throws ConfigurationException, IssueInstantMissingException {
+        XMLGregorianCalendar issueInstant = assertion.getIssueInstant();
+        if (issueInstant == null)
+            throw new IssueInstantMissingException(ErrorCodes.NULL_ISSUE_INSTANT);
+        XMLGregorianCalendar assertionValidityLength = XMLTimeUtil.add(issueInstant, durationInMilis + clockSkew);
+
+        SAML11ConditionsType conditionsType = new SAML11ConditionsType();
+
+        XMLGregorianCalendar beforeInstant = XMLTimeUtil.subtract(issueInstant, clockSkew);
+
+        conditionsType.setNotBefore(beforeInstant);
+        conditionsType.setNotOnOrAfter(assertionValidityLength);
+        assertion.setConditions(conditionsType);
+    }
+
+    /**
+     * Given an assertion element, validate the signature
+     *
+     * @param assertionElement
+     * @param publicKey the {@link PublicKey}
+     *
+     * @return
+     */
+    public static boolean isSignatureValid(Element assertionElement, PublicKey publicKey) {
+        try {
+            Document doc = DocumentUtil.createDocument();
+            Node n = doc.importNode(assertionElement, true);
+            doc.appendChild(n);
+
+            return new SAML2Signature().validate(doc, publicKey);
+        } catch (Exception e) {
+            logger.signatureAssertionValidationError(e);
+        }
+        return false;
+    }
+
+    /**
+     * Check whether the assertion has expired
+     *
+     * @param assertion
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static boolean hasExpired(AssertionType assertion) throws ConfigurationException {
+        boolean expiry = false;
+
+        // Check for validity of assertion
+        ConditionsType conditionsType = assertion.getConditions();
+        if (conditionsType != null) {
+            XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
+            XMLGregorianCalendar notBefore = conditionsType.getNotBefore();
+            XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter();
+
+            if (notBefore != null) {
+                logger.trace("Assertion: " + assertion.getID() + " ::Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat());
+            }
+
+            if (notOnOrAfter != null) {
+                logger.trace("Assertion: " + assertion.getID() + " ::Now=" + now.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
+            }
+
+            expiry = !XMLTimeUtil.isValid(now, notBefore, notOnOrAfter);
+
+            if (expiry) {
+                logger.samlAssertionExpired(assertion.getID());
+            }
+        }
+
+        // TODO: if conditions do not exist, assume the assertion to be everlasting?
+        return expiry;
+    }
+
+    /**
+     * Verify whether the assertion has expired. You can add in a clock skew to adapt to conditions where in the IDP and
+     * SP are
+     * out of sync.
+     *
+     * @param assertion
+     * @param clockSkewInMilis in miliseconds
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static boolean hasExpired(AssertionType assertion, long clockSkewInMilis) throws ConfigurationException {
+        boolean expiry = false;
+
+        // Check for validity of assertion
+        ConditionsType conditionsType = assertion.getConditions();
+        if (conditionsType != null) {
+            XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
+            XMLGregorianCalendar notBefore = conditionsType.getNotBefore();
+            XMLGregorianCalendar updatedNotBefore = XMLTimeUtil.subtract(notBefore, clockSkewInMilis);
+            XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter();
+            XMLGregorianCalendar updatedOnOrAfter = XMLTimeUtil.add(notOnOrAfter, clockSkewInMilis);
+
+            logger.trace("Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
+            expiry = !XMLTimeUtil.isValid(now, updatedNotBefore, updatedOnOrAfter);
+            if (expiry) {
+                logger.samlAssertionExpired(assertion.getID());
+            }
+        }
+
+        // TODO: if conditions do not exist, assume the assertion to be everlasting?
+        return expiry;
+    }
+
+    /**
+     * Check whether the assertion has expired
+     *
+     * @param assertion
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static boolean hasExpired(SAML11AssertionType assertion) throws ConfigurationException {
+        boolean expiry = false;
+
+        // Check for validity of assertion
+        SAML11ConditionsType conditionsType = assertion.getConditions();
+        if (conditionsType != null) {
+            XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
+            XMLGregorianCalendar notBefore = conditionsType.getNotBefore();
+            XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter();
+
+            logger.trace("Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
+
+            expiry = !XMLTimeUtil.isValid(now, notBefore, notOnOrAfter);
+            if (expiry) {
+                logger.samlAssertionExpired(assertion.getID());
+            }
+        }
+
+        // TODO: if conditions do not exist, assume the assertion to be everlasting?
+        return expiry;
+    }
+
+    /**
+     * Verify whether the assertion has expired. You can add in a clock skew to adapt to conditions where in the IDP and
+     * SP are
+     * out of sync.
+     *
+     * @param assertion
+     * @param clockSkewInMilis in miliseconds
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static boolean hasExpired(SAML11AssertionType assertion, long clockSkewInMilis) throws ConfigurationException {
+        boolean expiry = false;
+
+        // Check for validity of assertion
+        SAML11ConditionsType conditionsType = assertion.getConditions();
+        if (conditionsType != null) {
+            XMLGregorianCalendar now = XMLTimeUtil.getIssueInstant();
+            XMLGregorianCalendar notBefore = conditionsType.getNotBefore();
+            XMLGregorianCalendar updatedNotBefore = XMLTimeUtil.subtract(notBefore, clockSkewInMilis);
+            XMLGregorianCalendar notOnOrAfter = conditionsType.getNotOnOrAfter();
+            XMLGregorianCalendar updatedOnOrAfter = XMLTimeUtil.add(notOnOrAfter, clockSkewInMilis);
+
+            logger.trace("Now=" + now.toXMLFormat() + " ::notBefore=" + notBefore.toXMLFormat() + " ::notOnOrAfter=" + notOnOrAfter);
+
+            expiry = !XMLTimeUtil.isValid(now, updatedNotBefore, updatedOnOrAfter);
+            if (expiry) {
+                logger.samlAssertionExpired(assertion.getID());
+            }
+        }
+
+        // TODO: if conditions do not exist, assume the assertion to be everlasting?
+        return expiry;
+    }
+
+    /**
+     * Extract the expiration time from an {@link AssertionType}
+     *
+     * @param assertion
+     *
+     * @return
+     */
+    public static XMLGregorianCalendar getExpiration(AssertionType assertion) {
+        XMLGregorianCalendar expiry = null;
+
+        ConditionsType conditionsType = assertion.getConditions();
+        if (conditionsType != null) {
+            expiry = conditionsType.getNotOnOrAfter();
+        }
+        return expiry;
+    }
+
+    /**
+     * Given an assertion, return the list of roles it may have
+     *
+     * @param assertion The {@link AssertionType}
+     * @param roleKeys a list of string values representing the role keys. The list can be null.
+     *
+     * @return
+     */
+    public static List<String> getRoles(AssertionType assertion, List<String> roleKeys) {
+        List<String> roles = new ArrayList<String>();
+        Set<StatementAbstractType> statements = assertion.getStatements();
+        for (StatementAbstractType statement : statements) {
+            if (statement instanceof AttributeStatementType) {
+                AttributeStatementType attributeStatement = (AttributeStatementType) statement;
+                List<ASTChoiceType> attList = attributeStatement.getAttributes();
+                for (ASTChoiceType obj : attList) {
+                    AttributeType attr = obj.getAttribute();
+                    if (roleKeys != null && roleKeys.size() > 0) {
+                        if (!roleKeys.contains(attr.getName()))
+                            continue;
+                    }
+                    List<Object> attributeValues = attr.getAttributeValue();
+                    if (attributeValues != null) {
+                        for (Object attrValue : attributeValues) {
+                            if (attrValue instanceof String) {
+                                roles.add((String) attrValue);
+                            } else if (attrValue instanceof Node) {
+                                Node roleNode = (Node) attrValue;
+                                roles.add(roleNode.getFirstChild().getNodeValue());
+                            } else
+                                throw logger.unknownObjectType(attrValue);
+                        }
+                    }
+                }
+            }
+        }
+        return roles;
+    }
+
+    /**
+     * Given an assertion, return the list of roles it may have
+     *
+     * @param assertion The {@link SAML11AssertionType}
+     * @param roleKeys a list of string values representing the role keys. The list can be null.
+     *
+     * @return
+     */
+    public static List<String> getRoles(SAML11AssertionType assertion, List<String> roleKeys) {
+        List<String> roles = new ArrayList<String>();
+        List<SAML11StatementAbstractType> statements = assertion.getStatements();
+        for (SAML11StatementAbstractType statement : statements) {
+            if (statement instanceof SAML11AttributeStatementType) {
+                SAML11AttributeStatementType attributeStatement = (SAML11AttributeStatementType) statement;
+                List<SAML11AttributeType> attributes = attributeStatement.get();
+                for (SAML11AttributeType attr : attributes) {
+                    if (roleKeys != null && roleKeys.size() > 0) {
+                        if (!roleKeys.contains(attr.getAttributeName()))
+                            continue;
+                    }
+                    List<Object> attributeValues = attr.get();
+                    if (attributeValues != null) {
+                        for (Object attrValue : attributeValues) {
+                            if (attrValue instanceof String) {
+                                roles.add((String) attrValue);
+                            } else if (attrValue instanceof Node) {
+                                Node roleNode = (Node) attrValue;
+                                roles.add(roleNode.getFirstChild().getNodeValue());
+                            } else
+                                throw logger.unknownObjectType(attrValue);
+                        }
+                    }
+                }
+            }
+        }
+        return roles;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/DocumentUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/DocumentUtil.java
new file mode 100755
index 0000000000..fa1cadc336
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/DocumentUtil.java
@@ -0,0 +1,28 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.util;
+
+/**
+ * PLINK-158: Maintain backward compatibility
+ *
+ * @author Anil Saldhana
+ * @since June 20, 2013
+ */
+public class DocumentUtil extends org.keycloak.saml.common.util.DocumentUtil {
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SAMLMetadataUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SAMLMetadataUtil.java
new file mode 100755
index 0000000000..bca7eb0269
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SAMLMetadataUtil.java
@@ -0,0 +1,101 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.util;
+
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.core.util.XMLSignatureUtil;
+import org.keycloak.dom.saml.v2.metadata.KeyDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.KeyTypes;
+import org.keycloak.dom.saml.v2.metadata.SSODescriptorType;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import java.security.cert.X509Certificate;
+
+/**
+ * Deals with SAML2 Metadata
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 31, 2011
+ */
+public class SAMLMetadataUtil {
+
+    /**
+     * Get the {@link X509Certificate} from the KeyInfo
+     *
+     * @param keyDescriptor
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     * @throws org.keycloak.saml.common.exceptions.ConfigurationException
+     */
+    public static X509Certificate getCertificate(KeyDescriptorType keyDescriptor) throws ConfigurationException,
+            ProcessingException {
+        X509Certificate cert = null;
+        Element keyInfo = keyDescriptor.getKeyInfo();
+        if (keyInfo != null) {
+            NodeList x509DataNodes = keyInfo.getElementsByTagName("X509Data");
+            if (x509DataNodes == null || x509DataNodes.getLength() == 0) {
+                x509DataNodes = keyInfo.getElementsByTagNameNS(JBossSAMLURIConstants.XMLDSIG_NSURI.get(), "X509Data");
+            }
+
+            if (x509DataNodes == null || x509DataNodes.getLength() == 0) {
+                x509DataNodes = keyInfo.getElementsByTagName("ds:X509Data");
+            }
+
+            if (x509DataNodes != null && x509DataNodes.getLength() > 0) {
+                // Choose the first one
+                Node x509DataNode = x509DataNodes.item(0);
+                NodeList children = x509DataNode.getChildNodes();
+                int len = children != null ? children.getLength() : 0;
+                for (int i = 0; i < len; i++) {
+                    Node nl = children.item(i);
+                    if (nl.getNodeName().contains("X509Certificate")) {
+                        Node certNode = nl.getFirstChild();
+                        String certNodeValue = certNode.getNodeValue();
+                        cert = XMLSignatureUtil.getX509CertificateFromKeyInfoString(certNodeValue.replaceAll("\\s", ""));
+                        break;
+                    }
+                }
+            }
+        }
+        return cert;
+    }
+
+    public static X509Certificate getCertificate(KeyTypes use, SSODescriptorType ssoDescriptorType) {
+        if (ssoDescriptorType != null) {
+            for (KeyDescriptorType keyDescriptorType : ssoDescriptorType.getKeyDescriptor()) {
+                KeyTypes keyUse = keyDescriptorType.getUse();
+
+                if (keyUse == null || (use != null && keyUse.value().equals(use.value()))) {
+                    try {
+                        return getCertificate(keyDescriptorType);
+                    } catch (Exception e) {
+                        throw new RuntimeException("Could not parse KeyDescriptor X509 certificate from metadata [" + ssoDescriptorType.getID() + "].");
+                    }
+                }
+            }
+        }
+
+        return null;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SecurityActions.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SecurityActions.java
new file mode 100755
index 0000000000..1a9c090b02
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SecurityActions.java
@@ -0,0 +1,161 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.util;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Privileged Blocks
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 9, 2008
+ */
+class SecurityActions {
+
+    /**
+     * <p>
+     * Loads a {@link Class} using the <code>fullQualifiedName</code> supplied. This method tries first to load from
+     * the
+     * specified {@link Class}, if not found it will try to load from using TCL.
+     * </p>
+     *
+     * @param theClass
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final Class<?> theClass, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    ClassLoader classLoader = theClass.getClassLoader();
+
+                    Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+                    if (clazz == null) {
+                        classLoader = Thread.currentThread().getContextClassLoader();
+                        clazz = loadClass(classLoader, fullQualifiedName);
+                    }
+                    return clazz;
+                }
+            });
+        } else {
+            ClassLoader classLoader = theClass.getClassLoader();
+
+            Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+            if (clazz == null) {
+                classLoader = Thread.currentThread().getContextClassLoader();
+                clazz = loadClass(classLoader, fullQualifiedName);
+            }
+            return clazz;
+        }
+    }
+
+    /**
+     * <p>
+     * Loads a class from the specified {@link ClassLoader} using the <code>fullQualifiedName</code> supplied.
+     * </p>
+     *
+     * @param classLoader
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final ClassLoader classLoader, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    try {
+                        return classLoader.loadClass(fullQualifiedName);
+                    } catch (ClassNotFoundException e) {
+                    }
+                    return null;
+                }
+            });
+        } else {
+            try {
+                return classLoader.loadClass(fullQualifiedName);
+            } catch (ClassNotFoundException e) {
+            }
+            return null;
+        }
+    }
+
+    /**
+     * <p>Returns a system property value using the specified <code>key</code>. If not found the
+     * <code>defaultValue</code> will be returned.</p>
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static String getSystemProperty(final String key, final String defaultValue) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<String>() {
+                public String run() {
+                    return System.getProperty(key, defaultValue);
+                }
+            });
+        } else {
+            return System.getProperty(key, defaultValue);
+        }
+    }
+
+    /**
+     * Get the Thread Context ClassLoader
+     *
+     * @return
+     */
+    static ClassLoader getTCCL() {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        } else {
+            return Thread.currentThread().getContextClassLoader();
+        }
+    }
+
+    /**
+     * Set the Thread Context ClassLoader
+     *
+     * @param paramCl
+     */
+    static void setTCCL(final ClassLoader paramCl) {
+        if (System.getSecurityManager() != null) {
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    Thread.currentThread().setContextClassLoader(paramCl);
+                    return null;
+                }
+            });
+        } else {
+
+            Thread.currentThread().setContextClassLoader(paramCl);
+        }
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SignatureUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SignatureUtil.java
new file mode 100755
index 0000000000..1c52241870
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/SignatureUtil.java
@@ -0,0 +1,297 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.util.Base64;
+import org.keycloak.saml.processing.core.constants.PicketLinkFederationConstants;
+import org.keycloak.dom.xmlsec.w3.xmldsig.DSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.RSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
+
+import javax.xml.bind.JAXBException;
+import java.io.OutputStream;
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.DSAPublicKey;
+import java.security.interfaces.RSAPublicKey;
+
+/**
+ * Signature utility for signing content
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 16, 2008
+ */
+public class SignatureUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Marshall a SignatureType to output stream
+     *
+     * @param signature
+     * @param os
+     *
+     * @throws SAXException
+     * @throws JAXBException
+     */
+    public static void marshall(SignatureType signature, OutputStream os) throws JAXBException, SAXException {
+        throw logger.notImplementedYet("NYI");
+        /*
+         * JAXBElement<SignatureType> jsig = objectFactory.createSignature(signature); Marshaller marshaller =
+         * JAXBUtil.getValidatingMarshaller(pkgName, schemaLocation); marshaller.marshal(jsig, os);
+         */
+    }
+
+    /**
+     * Get the XML Signature URI for the algo (RSA, DSA)
+     *
+     * @param algo
+     *
+     * @return
+     */
+    public static String getXMLSignatureAlgorithmURI(String algo) {
+        String xmlSignatureAlgo = null;
+
+        if ("DSA".equalsIgnoreCase(algo)) {
+            xmlSignatureAlgo = JBossSAMLConstants.SIGNATURE_SHA1_WITH_DSA.get();
+        } else if ("RSA".equalsIgnoreCase(algo)) {
+            xmlSignatureAlgo = JBossSAMLConstants.SIGNATURE_SHA1_WITH_RSA.get();
+        }
+        return xmlSignatureAlgo;
+    }
+
+    /**
+     * Sign a string using the private key
+     *
+     * @param stringToBeSigned
+     * @param signingKey
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     */
+    public static byte[] sign(String stringToBeSigned, PrivateKey signingKey) throws GeneralSecurityException {
+        if (stringToBeSigned == null)
+            throw logger.nullArgumentError("stringToBeSigned");
+        if (signingKey == null)
+            throw logger.nullArgumentError("signingKey");
+
+        String algo = signingKey.getAlgorithm();
+        Signature sig = getSignature(algo);
+        sig.initSign(signingKey);
+        sig.update(stringToBeSigned.getBytes());
+        return sig.sign();
+    }
+
+    /**
+     * Validate the signed content with the signature value
+     *
+     * @param signedContent
+     * @param signatureValue
+     * @param validatingKey
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     */
+    public static boolean validate(byte[] signedContent, byte[] signatureValue, PublicKey validatingKey)
+            throws GeneralSecurityException {
+        if (signedContent == null)
+            throw logger.nullArgumentError("signedContent");
+        if (signatureValue == null)
+            throw logger.nullArgumentError("signatureValue");
+        if (validatingKey == null)
+            throw logger.nullArgumentError("validatingKey");
+
+        // We assume that the sigatureValue has the same algorithm as the public key
+        // If not, there will be an exception anyway
+        String algo = validatingKey.getAlgorithm();
+        Signature sig = getSignature(algo);
+
+        sig.initVerify(validatingKey);
+        sig.update(signedContent);
+        return sig.verify(signatureValue);
+    }
+
+    /**
+     * Validate the signature using a x509 certificate
+     *
+     * @param signedContent
+     * @param signatureValue
+     * @param signatureAlgorithm
+     * @param validatingCert
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     */
+    public static boolean validate(byte[] signedContent, byte[] signatureValue, String signatureAlgorithm,
+                                   X509Certificate validatingCert) throws GeneralSecurityException {
+        if (signedContent == null)
+            throw logger.nullArgumentError("signedContent");
+        if (signatureValue == null)
+            throw logger.nullArgumentError("signatureValue");
+        if (signatureAlgorithm == null)
+            throw logger.nullArgumentError("signatureAlgorithm");
+        if (validatingCert == null)
+            throw logger.nullArgumentError("validatingCert");
+
+        Signature sig = getSignature(signatureAlgorithm);
+
+        sig.initVerify(validatingCert);
+        sig.update(signedContent);
+        return sig.verify(signatureValue);
+    }
+
+
+    /**
+     * Given a dsig:DSAKeyValue element, return {@link DSAKeyValueType}
+     *
+     * @param element
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ParsingException
+     */
+    public static DSAKeyValueType getDSAKeyValue(Element element) throws ParsingException {
+        DSAKeyValueType dsa = new DSAKeyValueType();
+        NodeList nl = element.getChildNodes();
+        int length = nl.getLength();
+
+        for (int i = 0; i < length; i++) {
+            Node node = nl.item(i);
+            if (node instanceof Element) {
+                Element childElement = (Element) node;
+                String tag = childElement.getLocalName();
+
+                byte[] text = childElement.getTextContent().getBytes();
+
+                if (WSTrustConstants.XMLDSig.P.equals(tag)) {
+                    dsa.setP(text);
+                } else if (WSTrustConstants.XMLDSig.Q.equals(tag)) {
+                    dsa.setQ(text);
+                } else if (WSTrustConstants.XMLDSig.G.equals(tag)) {
+                    dsa.setG(text);
+                } else if (WSTrustConstants.XMLDSig.Y.equals(tag)) {
+                    dsa.setY(text);
+                } else if (WSTrustConstants.XMLDSig.SEED.equals(tag)) {
+                    dsa.setSeed(text);
+                } else if (WSTrustConstants.XMLDSig.PGEN_COUNTER.equals(tag)) {
+                    dsa.setPgenCounter(text);
+                }
+            }
+        }
+
+        return dsa;
+    }
+
+    /**
+     * Given a dsig:DSAKeyValue element, return {@link DSAKeyValueType}
+     *
+     * @param element
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static RSAKeyValueType getRSAKeyValue(Element element) throws ParsingException {
+        RSAKeyValueType rsa = new RSAKeyValueType();
+        NodeList nl = element.getChildNodes();
+        int length = nl.getLength();
+
+        for (int i = 0; i < length; i++) {
+            Node node = nl.item(i);
+            if (node instanceof Element) {
+                Element childElement = (Element) node;
+                String tag = childElement.getLocalName();
+
+                byte[] text = childElement.getTextContent().getBytes();
+
+                if (WSTrustConstants.XMLDSig.MODULUS.equals(tag)) {
+                    rsa.setModulus(text);
+                } else if (WSTrustConstants.XMLDSig.EXPONENT.equals(tag)) {
+                    rsa.setExponent(text);
+                }
+            }
+        }
+
+        return rsa;
+    }
+
+    /**
+     * <p>
+     * Creates a {@code KeyValueType} that wraps the specified public key. This method supports DSA and RSA keys.
+     * </p>
+     *
+     * @param key the {@code PublicKey} that will be represented as a {@code KeyValueType}.
+     *
+     * @return the constructed {@code KeyValueType} or {@code null} if the specified key is neither a DSA nor a RSA
+     *         key.
+     */
+    public static KeyValueType createKeyValue(PublicKey key) {
+        if (key instanceof RSAPublicKey) {
+            RSAPublicKey pubKey = (RSAPublicKey) key;
+            byte[] modulus = pubKey.getModulus().toByteArray();
+            byte[] exponent = pubKey.getPublicExponent().toByteArray();
+
+            RSAKeyValueType rsaKeyValue = new RSAKeyValueType();
+            rsaKeyValue.setModulus(Base64.encodeBytes(modulus).getBytes());
+            rsaKeyValue.setExponent(Base64.encodeBytes(exponent).getBytes());
+            return rsaKeyValue;
+        } else if (key instanceof DSAPublicKey) {
+            DSAPublicKey pubKey = (DSAPublicKey) key;
+            byte[] P = pubKey.getParams().getP().toByteArray();
+            byte[] Q = pubKey.getParams().getQ().toByteArray();
+            byte[] G = pubKey.getParams().getG().toByteArray();
+            byte[] Y = pubKey.getY().toByteArray();
+
+            DSAKeyValueType dsaKeyValue = new DSAKeyValueType();
+            dsaKeyValue.setP(Base64.encodeBytes(P).getBytes());
+            dsaKeyValue.setQ(Base64.encodeBytes(Q).getBytes());
+            dsaKeyValue.setG(Base64.encodeBytes(G).getBytes());
+            dsaKeyValue.setY(Base64.encodeBytes(Y).getBytes());
+            return dsaKeyValue;
+        }
+        throw logger.unsupportedType(key.toString());
+    }
+
+    private static Signature getSignature(String algo) throws GeneralSecurityException {
+        Signature sig = null;
+
+        if ("DSA".equalsIgnoreCase(algo)) {
+            sig = Signature.getInstance(PicketLinkFederationConstants.DSA_SIGNATURE_ALGORITHM);
+        } else if ("RSA".equalsIgnoreCase(algo)) {
+            sig = Signature.getInstance(PicketLinkFederationConstants.RSA_SIGNATURE_ALGORITHM);
+        } else
+            throw logger.signatureUnknownAlgo(algo);
+        return sig;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/StatementUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/StatementUtil.java
new file mode 100755
index 0000000000..c184e58ea7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/StatementUtil.java
@@ -0,0 +1,241 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.saml.processing.core.saml.v2.util;
+
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.saml.processing.core.constants.AttributeConstants;
+import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextClassRefType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextType;
+import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
+import org.keycloak.dom.saml.v2.assertion.StatementAbstractType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * Deals with SAML2 Statements
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Aug 31, 2009
+ */
+public class StatementUtil {
+
+    public static final QName X500_QNAME = new QName(JBossSAMLURIConstants.X500_NSURI.get(), "Encoding",
+            JBossSAMLURIConstants.X500_PREFIX.get());
+
+    /**
+     * Create an AuthnStatementType given the issue instant and the type of authentication
+     *
+     * @param instant an instanceof {@link XMLGregorianCalendar}
+     * @param authnContextClassRefValue indicate the type of authentication performed
+     *
+     * @return {@link AuthnStatementType}
+     */
+    public static AuthnStatementType createAuthnStatement(XMLGregorianCalendar instant, String authnContextClassRefValue) {
+        AuthnStatementType authnStatement = new AuthnStatementType(instant);
+
+        AuthnContextType authnContext = new AuthnContextType();
+        AuthnContextClassRefType authnContextClassRef = new AuthnContextClassRefType(URI.create(authnContextClassRefValue));
+
+        AuthnContextType.AuthnContextTypeSequence sequence = (authnContext).new AuthnContextTypeSequence();
+        sequence.setClassRef(authnContextClassRef);
+        authnContext.setSequence(sequence);
+
+        authnStatement.setAuthnContext(authnContext);
+
+        return authnStatement;
+    }
+
+    /**
+     * Create an attribute statement with all the attributes
+     *
+     * @param attributes a map with keys from {@link AttributeConstants}
+     *
+     * @return
+     */
+    public static AttributeStatementType createAttributeStatement(Map<String, Object> attributes) {
+        AttributeStatementType attrStatement = null;
+
+        int i = 0;
+
+        Set<String> keys = attributes.keySet();
+        for (String key : keys) {
+            if (i == 0) {
+                // Deal with the X500 Profile of SAML2
+                attrStatement = new AttributeStatementType();
+                i++;
+            }
+
+            // if the attribute contains roles, add each role as an attribute.
+            if (AttributeConstants.ROLES.equalsIgnoreCase(key)) {
+                Object value = attributes.get(key);
+                if (value instanceof Collection<?>) {
+                    Collection<?> roles = (Collection<?>) value;
+                    attrStatement = createAttributeStatement(new ArrayList(roles));
+                }
+            } else {
+                AttributeType att;
+                Object value = attributes.get(key);
+
+                String uri = X500SAMLProfileConstants.getOID(key);
+                if (StringUtil.isNotNull(uri)) {
+                    att = getX500Attribute(uri);
+                    att.setFriendlyName(key);
+                } else {
+                    att = new AttributeType(key);
+                    att.setFriendlyName(key);
+                    att.setNameFormat(JBossSAMLURIConstants.ATTRIBUTE_FORMAT_URI.get());
+                }
+
+                if (Collection.class.isInstance(value)) {
+                    Collection collection = (Collection) value;
+                    Iterator iterator = collection.iterator();
+
+                    while (iterator.hasNext()) {
+                        att.addAttributeValue(iterator.next());
+                    }
+                } else if (String.class.isInstance(value)) {
+                    att.addAttributeValue(value);
+                } else {
+                    throw new RuntimeException("Unsupported attribute value [" + value + "]. Values must be a string, even if using a Collection.");
+                }
+
+                attrStatement.addAttribute(new ASTChoiceType(att));
+            }
+        }
+        return attrStatement;
+    }
+
+    /**
+     * Given a set of roles, create an attribute statement
+     *
+     * @param roles
+     *
+     * @return
+     */
+    public static AttributeStatementType createAttributeStatement(List<String> roles) {
+        AttributeStatementType attrStatement = null;
+        for (String role : roles) {
+            if (attrStatement == null) {
+                attrStatement = new AttributeStatementType();
+            }
+            AttributeType attr = new AttributeType(AttributeConstants.ROLE_IDENTIFIER_ASSERTION);
+            attr.addAttributeValue(role);
+            attrStatement.addAttribute(new ASTChoiceType(attr));
+        }
+        return attrStatement;
+    }
+
+    /**
+     * Given a set of roles, create an attribute statement
+     *
+     * @param roles
+     * @param multivalued if you want the attribute to be multi valued
+     *
+     * @return
+     */
+    public static AttributeStatementType createAttributeStatementForRoles(List<String> roles, boolean multivalued) {
+        if (multivalued == false) {
+            return createAttributeStatement(roles);
+        }
+        AttributeStatementType attrStatement = new AttributeStatementType();
+        AttributeType attr = new AttributeType(AttributeConstants.ROLE_IDENTIFIER_ASSERTION);
+        for (String role : roles) {
+            attr.addAttributeValue(role);
+        }
+        attrStatement.addAttribute(new ASTChoiceType(attr));
+        return attrStatement;
+    }
+
+    /**
+     * Given an attribute type and a value, create {@link AttributeStatementType}
+     *
+     * @param key attribute type
+     * @param value attribute value
+     *
+     * @return
+     */
+    public static AttributeStatementType createAttributeStatement(String key, String value) {
+        AttributeStatementType attrStatement = new AttributeStatementType();
+        AttributeType attr = new AttributeType(key);
+        attr.addAttributeValue(value);
+        attrStatement.addAttribute(new ASTChoiceType(attr));
+
+        return attrStatement;
+    }
+
+    public static Map<String, Object> asMap(Set<AttributeStatementType> attributeStatementTypes) {
+        Map<String, Object> attrMap = new HashMap<String, Object>();
+
+        if (attributeStatementTypes != null && !attributeStatementTypes.isEmpty()) {
+            attrMap = new HashMap<String, Object>();
+
+            for (StatementAbstractType statement : attributeStatementTypes) {
+                if (statement instanceof AttributeStatementType) {
+                    AttributeStatementType attrStat = (AttributeStatementType) statement;
+                    List<ASTChoiceType> attrs = attrStat.getAttributes();
+                    for (ASTChoiceType attrChoice : attrs) {
+                        AttributeType attr = attrChoice.getAttribute();
+                        String attributeName = attr.getFriendlyName();
+
+                        if (attributeName == null) {
+                            attributeName = attr.getName();
+                        }
+
+                        List<Object> values = attr.getAttributeValue();
+
+                        if (values != null) {
+                            if (values.size() == 1) {
+                                attrMap.put(attributeName, values.get(0));
+                            } else {
+                                attrMap.put(attributeName, values);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+
+        return attrMap;
+    }
+
+    private static AttributeType getX500Attribute(String name) {
+        AttributeType att = new AttributeType(name);
+        att.getOtherAttributes().put(X500_QNAME, "LDAP");
+
+        att.setNameFormat(JBossSAMLURIConstants.ATTRIBUTE_FORMAT_URI.get());
+        return att;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/StaxWriterUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/StaxWriterUtil.java
new file mode 100755
index 0000000000..9da4caff75
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/StaxWriterUtil.java
@@ -0,0 +1,166 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.saml.processing.core.saml.v2.util;
+
+
+import org.keycloak.saml.common.ErrorCodes;
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.dom.xmlsec.w3.xmldsig.DSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.RSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.X509CertificateType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.X509DataType;
+import org.w3c.dom.Element;
+
+import javax.xml.stream.XMLStreamWriter;
+
+/**
+ * Utility methods for stax writing
+ *
+ * @author anil saldhana
+ * @since Jan 28, 2013
+ */
+public class StaxWriterUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Write the {@link org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType}
+     *
+     * @param writer
+     * @param keyInfo
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public static void writeKeyInfo(XMLStreamWriter writer, KeyInfoType keyInfo) throws ProcessingException {
+        if (keyInfo.getContent() == null || keyInfo.getContent().size() == 0)
+            throw logger.writerInvalidKeyInfoNullContentError();
+        StaxUtil.writeStartElement(writer, WSTrustConstants.XMLDSig.DSIG_PREFIX, WSTrustConstants.XMLDSig.KEYINFO,
+                WSTrustConstants.XMLDSig.DSIG_NS);
+        StaxUtil.writeNameSpace(writer, WSTrustConstants.XMLDSig.DSIG_PREFIX, WSTrustConstants.XMLDSig.DSIG_NS);
+        // write the keyInfo content.
+        Object content = keyInfo.getContent().get(0);
+        if (content instanceof Element) {
+            Element element = (Element) keyInfo.getContent().get(0);
+            StaxUtil.writeDOMNode(writer, element);
+        } else if (content instanceof X509DataType) {
+            X509DataType type = (X509DataType) content;
+            if (type.getDataObjects().size() == 0)
+                throw logger.writerNullValueError("X509Data");
+            StaxUtil.writeStartElement(writer, WSTrustConstants.XMLDSig.DSIG_PREFIX, WSTrustConstants.XMLDSig.X509DATA,
+                    WSTrustConstants.XMLDSig.DSIG_NS);
+            Object obj = type.getDataObjects().get(0);
+            if (obj instanceof Element) {
+                Element element = (Element) obj;
+                StaxUtil.writeDOMElement(writer, element);
+            } else if (obj instanceof X509CertificateType) {
+                X509CertificateType cert = (X509CertificateType) obj;
+                StaxUtil.writeStartElement(writer, WSTrustConstants.XMLDSig.DSIG_PREFIX, WSTrustConstants.XMLDSig.X509CERT,
+                        WSTrustConstants.XMLDSig.DSIG_NS);
+                StaxUtil.writeCharacters(writer, new String(cert.getEncodedCertificate()));
+                StaxUtil.writeEndElement(writer);
+            }
+            StaxUtil.writeEndElement(writer);
+        } else if (content instanceof KeyValueType) {
+            KeyValueType keyvalueType = (KeyValueType) content;
+            StaxUtil.writeStartElement(writer, WSTrustConstants.XMLDSig.DSIG_PREFIX, WSTrustConstants.XMLDSig.KEYVALUE,
+                    WSTrustConstants.XMLDSig.DSIG_NS);
+            if (keyvalueType instanceof DSAKeyValueType) {
+                writeDSAKeyValueType(writer, (DSAKeyValueType) keyvalueType);
+            }
+            if (keyvalueType instanceof RSAKeyValueType) {
+                writeRSAKeyValueType(writer, (RSAKeyValueType) keyvalueType);
+            }
+            StaxUtil.writeEndElement(writer);
+        } else
+            throw new ProcessingException(ErrorCodes.UNSUPPORTED_TYPE + content);
+
+        StaxUtil.writeEndElement(writer);
+    }
+
+    public static void writeRSAKeyValueType(XMLStreamWriter writer, RSAKeyValueType type) throws ProcessingException {
+        String prefix = WSTrustConstants.XMLDSig.DSIG_PREFIX;
+
+        StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.RSA_KEYVALUE, WSTrustConstants.DSIG_NS);
+        // write the rsa key modulus.
+        byte[] modulus = type.getModulus();
+        StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.MODULUS, WSTrustConstants.DSIG_NS);
+        StaxUtil.writeCharacters(writer, new String(modulus));
+        StaxUtil.writeEndElement(writer);
+
+        // write the rsa key exponent.
+        byte[] exponent = type.getExponent();
+        StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.EXPONENT, WSTrustConstants.DSIG_NS);
+        StaxUtil.writeCharacters(writer, new String(exponent));
+        StaxUtil.writeEndElement(writer);
+
+        StaxUtil.writeEndElement(writer);
+    }
+
+    public static void writeDSAKeyValueType(XMLStreamWriter writer, DSAKeyValueType type) throws ProcessingException {
+
+        String prefix = WSTrustConstants.XMLDSig.DSIG_PREFIX;
+
+        StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.DSA_KEYVALUE, WSTrustConstants.DSIG_NS);
+
+        byte[] p = type.getP();
+        if (p != null) {
+            StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.P, WSTrustConstants.DSIG_NS);
+            StaxUtil.writeCharacters(writer, new String(p));
+            StaxUtil.writeEndElement(writer);
+        }
+        byte[] q = type.getQ();
+        if (q != null) {
+            StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.Q, WSTrustConstants.DSIG_NS);
+            StaxUtil.writeCharacters(writer, new String(q));
+            StaxUtil.writeEndElement(writer);
+        }
+        byte[] g = type.getG();
+        if (g != null) {
+            StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.G, WSTrustConstants.DSIG_NS);
+            StaxUtil.writeCharacters(writer, new String(g));
+            StaxUtil.writeEndElement(writer);
+        }
+        byte[] y = type.getY();
+        if (y != null) {
+            StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.Y, WSTrustConstants.DSIG_NS);
+            StaxUtil.writeCharacters(writer, new String(y));
+            StaxUtil.writeEndElement(writer);
+        }
+        byte[] seed = type.getSeed();
+        if (seed != null) {
+            StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.SEED, WSTrustConstants.DSIG_NS);
+            StaxUtil.writeCharacters(writer, new String(seed));
+            StaxUtil.writeEndElement(writer);
+        }
+        byte[] pgen = type.getPgenCounter();
+        if (pgen != null) {
+            StaxUtil.writeStartElement(writer, prefix, WSTrustConstants.XMLDSig.PGEN_COUNTER, WSTrustConstants.DSIG_NS);
+            StaxUtil.writeCharacters(writer, new String(pgen));
+            StaxUtil.writeEndElement(writer);
+        }
+
+        StaxUtil.writeEndElement(writer);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/XMLTimeUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/XMLTimeUtil.java
new file mode 100755
index 0000000000..acb6ceb49d
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/util/XMLTimeUtil.java
@@ -0,0 +1,254 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.util.SystemPropertiesUtil;
+
+import javax.xml.datatype.DatatypeConfigurationException;
+import javax.xml.datatype.DatatypeConstants;
+import javax.xml.datatype.DatatypeFactory;
+import javax.xml.datatype.Duration;
+import javax.xml.datatype.XMLGregorianCalendar;
+import java.util.GregorianCalendar;
+import java.util.TimeZone;
+
+/**
+ * Util class dealing with xml based time
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 6, 2009
+ */
+public class XMLTimeUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Add additional time in miliseconds
+     *
+     * @param value calendar whose value needs to be updated
+     * @param milis
+     *
+     * @return calendar value with the addition
+     *
+     * @throws org.keycloak.saml.common.exceptions.ConfigurationException
+     */
+    public static XMLGregorianCalendar add(XMLGregorianCalendar value, long milis) throws ConfigurationException {
+        XMLGregorianCalendar newVal = (XMLGregorianCalendar) value.clone();
+
+        Duration duration;
+        try {
+            duration = newDatatypeFactory().newDuration(milis);
+        } catch (DatatypeConfigurationException e) {
+            throw logger.configurationError(e);
+        }
+        newVal.add(duration);
+        return newVal;
+    }
+
+    /**
+     * Subtract some miliseconds from the time value
+     *
+     * @param value
+     * @param milis miliseconds entered in a positive value
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static XMLGregorianCalendar subtract(XMLGregorianCalendar value, long milis) throws ConfigurationException {
+        if (milis < 0)
+            throw logger.invalidArgumentError("milis should be a positive value");
+        return add(value, -1 * milis);
+    }
+
+    /**
+     * Returns a XMLGregorianCalendar in the timezone specified. If the timezone is not valid, then the timezone falls
+     * back to
+     * "GMT"
+     *
+     * @param timezone
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static XMLGregorianCalendar getIssueInstant(String timezone) throws ConfigurationException {
+        TimeZone tz = TimeZone.getTimeZone(timezone);
+        DatatypeFactory dtf;
+        try {
+            dtf = newDatatypeFactory();
+        } catch (DatatypeConfigurationException e) {
+            throw logger.configurationError(e);
+        }
+
+        GregorianCalendar gc = new GregorianCalendar(tz);
+        XMLGregorianCalendar xgc = dtf.newXMLGregorianCalendar(gc);
+
+        return xgc;
+    }
+
+    /**
+     * Get the current instant of time
+     *
+     * @return
+     *
+     * @throws ConfigurationException
+     */
+    public static XMLGregorianCalendar getIssueInstant() throws ConfigurationException {
+        return getIssueInstant(getCurrentTimeZoneID());
+    }
+
+    public static String getCurrentTimeZoneID() {
+        String timezonePropertyValue = SecurityActions.getSystemProperty(GeneralConstants.TIMEZONE, "GMT");
+
+        TimeZone timezone;
+        if (GeneralConstants.TIMEZONE_DEFAULT.equals(timezonePropertyValue)) {
+            timezone = TimeZone.getDefault();
+        } else {
+            timezone = TimeZone.getTimeZone(timezonePropertyValue);
+        }
+
+        return timezone.getID();
+    }
+
+    /**
+     * Convert the minutes into miliseconds
+     *
+     * @param valueInMins
+     *
+     * @return
+     */
+    public static long inMilis(int valueInMins) {
+        return valueInMins * 60 * 1000;
+    }
+
+    /**
+     * Validate that the current time falls between the two boundaries
+     *
+     * @param now
+     * @param notbefore
+     * @param notOnOrAfter
+     *
+     * @return
+     */
+    public static boolean isValid(XMLGregorianCalendar now, XMLGregorianCalendar notbefore, XMLGregorianCalendar notOnOrAfter) {
+        int val = 0;
+
+        if (notbefore != null) {
+            val = notbefore.compare(now);
+
+            if (val == DatatypeConstants.INDETERMINATE || val == DatatypeConstants.GREATER)
+                return false;
+        }
+
+        if (notOnOrAfter != null) {
+            val = notOnOrAfter.compare(now);
+
+            if (val != DatatypeConstants.GREATER)
+                return false;
+        }
+
+        return true;
+    }
+
+    /**
+     * Given a string, get the Duration object. The string can be an ISO 8601 period representation (Eg.: P10M) or a
+     * numeric
+     * value. If a ISO 8601 period, the duration will reflect the defined format. If a numeric (Eg.: 1000) the duration
+     * will
+     * be calculated in milliseconds.
+     *
+     * @param timeValue
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ParsingException
+     */
+    public static Duration parseAsDuration(String timeValue) throws ParsingException {
+        if (timeValue == null) {
+            PicketLinkLoggerFactory.getLogger().nullArgumentError("duration time");
+        }
+
+        DatatypeFactory factory = null;
+
+        try {
+            factory = newDatatypeFactory();
+        } catch (DatatypeConfigurationException e) {
+            throw logger.parserError(e);
+        }
+
+        try {
+            // checks if it is a ISO 8601 period. If not it must be a numeric value.
+            if (timeValue.startsWith("P")) {
+                return factory.newDuration(timeValue);
+            } else {
+                return factory.newDuration(Long.valueOf(timeValue));
+            }
+        } catch (Exception e) {
+            throw logger.samlMetaDataFailedToCreateCacheDuration(timeValue);
+        }
+    }
+
+    /**
+     * Given a string representing xml time, parse into {@code XMLGregorianCalendar}
+     *
+     * @param timeString
+     *
+     * @return
+     *
+     * @throws ParsingException
+     */
+    public static XMLGregorianCalendar parse(String timeString) throws ParsingException {
+        DatatypeFactory factory = null;
+        try {
+            factory = newDatatypeFactory();
+        } catch (DatatypeConfigurationException e) {
+            throw logger.parserError(e);
+        }
+        return factory.newXMLGregorianCalendar(timeString);
+    }
+
+
+    /**
+     * Create a new {@link DatatypeFactory}
+     *
+     * @return
+     *
+     * @throws DatatypeConfigurationException
+     */
+    public static DatatypeFactory newDatatypeFactory() throws DatatypeConfigurationException {
+        boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false")
+                .equalsIgnoreCase("true");
+        ClassLoader prevTCCL = SecurityActions.getTCCL();
+        try {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(XMLTimeUtil.class.getClassLoader());
+            }
+            return DatatypeFactory.newInstance();
+        } finally {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(prevTCCL);
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/BaseWriter.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/BaseWriter.java
new file mode 100755
index 0000000000..a484a1922b
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/BaseWriter.java
@@ -0,0 +1,322 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.writers;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.StaxWriterUtil;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.assertion.BaseIDAbstractType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedElementType;
+import org.keycloak.dom.saml.v2.assertion.KeyInfoConfirmationDataType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.saml.v2.metadata.LocalizedNameType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyInfoType;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamWriter;
+import java.net.URI;
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Map;
+
+import static org.keycloak.saml.common.constants.JBossSAMLURIConstants.ASSERTION_NSURI;
+
+/**
+ * Base Class for the Stax writers for SAML
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 2, 2010
+ */
+public class BaseWriter {
+
+    protected static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    protected static String PROTOCOL_PREFIX = "samlp";
+
+    protected static String ASSERTION_PREFIX = "saml";
+
+    protected static String XACML_SAML_PREFIX = "xacml-saml";
+
+    protected static String XACML_SAML_PROTO_PREFIX = "xacml-samlp";
+
+    protected static String XSI_PREFIX = "xsi";
+
+    protected XMLStreamWriter writer = null;
+
+    public BaseWriter(XMLStreamWriter writer) {
+        this.writer = writer;
+    }
+
+    /**
+     * Write {@code NameIDType} to stream
+     *
+     * @param nameIDType
+     * @param tag
+     * @param out
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public void write(NameIDType nameIDType, QName tag) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, tag.getPrefix(), tag.getLocalPart(), tag.getNamespaceURI());
+
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ASSERTION_NSURI.get());
+
+        URI format = nameIDType.getFormat();
+        if (format != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.FORMAT.get(), format.toASCIIString());
+        }
+
+        String spProvidedID = nameIDType.getSPProvidedID();
+        if (StringUtil.isNotNull(spProvidedID)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.SP_PROVIDED_ID.get(), spProvidedID);
+        }
+
+        String spNameQualifier = nameIDType.getSPNameQualifier();
+        if (StringUtil.isNotNull(spNameQualifier)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.SP_NAME_QUALIFIER.get(), spNameQualifier);
+        }
+
+        String nameQualifier = nameIDType.getNameQualifier();
+        if (StringUtil.isNotNull(nameQualifier)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.NAME_QUALIFIER.get(), nameQualifier);
+        }
+
+        String value = nameIDType.getValue();
+        if (StringUtil.isNotNull(value)) {
+            StaxUtil.writeCharacters(writer, value);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write an {@code AttributeType} to stream
+     *
+     * @param attributeType
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(AttributeType attributeType) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ATTRIBUTE.get(), ASSERTION_NSURI.get());
+
+        writeAttributeTypeWithoutRootTag(attributeType);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeAttributeTypeWithoutRootTag(AttributeType attributeType) throws ProcessingException {
+        String attributeName = attributeType.getName();
+        if (attributeName != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.NAME.get(), attributeName);
+        }
+
+        String friendlyName = attributeType.getFriendlyName();
+        if (StringUtil.isNotNull(friendlyName)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.FRIENDLY_NAME.get(), friendlyName);
+        }
+
+        String nameFormat = attributeType.getNameFormat();
+        if (StringUtil.isNotNull(nameFormat)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.NAME_FORMAT.get(), nameFormat);
+        }
+
+        // Take care of other attributes such as x500:encoding
+        Map<QName, String> otherAttribs = attributeType.getOtherAttributes();
+        if (otherAttribs != null) {
+            List<String> nameSpacesDealt = new ArrayList<String>();
+
+            Iterator<QName> keySet = otherAttribs.keySet().iterator();
+            while (keySet != null && keySet.hasNext()) {
+                QName qname = keySet.next();
+                String ns = qname.getNamespaceURI();
+                if (!nameSpacesDealt.contains(ns)) {
+                    StaxUtil.writeNameSpace(writer, qname.getPrefix(), ns);
+                    nameSpacesDealt.add(ns);
+                }
+                String attribValue = otherAttribs.get(qname);
+                StaxUtil.writeAttribute(writer, qname, attribValue);
+            }
+        }
+
+        List<Object> attributeValues = attributeType.getAttributeValue();
+        if (attributeValues != null) {
+            for (Object attributeValue : attributeValues) {
+                if (attributeValue != null) {
+                    if (attributeValue instanceof String) {
+                        writeStringAttributeValue((String) attributeValue);
+                    } else
+                        throw logger.writerUnsupportedAttributeValueError(attributeValue.getClass().getName());
+                }
+            }
+        }
+    }
+
+    public void writeStringAttributeValue(String attributeValue) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ATTRIBUTE_VALUE.get(), ASSERTION_NSURI.get());
+
+        StaxUtil.writeNameSpace(writer, JBossSAMLURIConstants.XSI_PREFIX.get(), JBossSAMLURIConstants.XSI_NSURI.get());
+        StaxUtil.writeNameSpace(writer, "xs", JBossSAMLURIConstants.XMLSCHEMA_NSURI.get());
+        StaxUtil.writeAttribute(writer, "xsi", JBossSAMLURIConstants.XSI_NSURI.get(), "type", "xs:string");
+        StaxUtil.writeCharacters(writer, attributeValue);
+        StaxUtil.writeEndElement(writer);
+    }
+
+    public void writeLocalizedNameType(LocalizedNameType localizedNameType, QName startElement) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, startElement.getPrefix(), startElement.getLocalPart(),
+                startElement.getNamespaceURI());
+        StaxUtil.writeAttribute(writer, new QName(JBossSAMLURIConstants.XML.get(), "lang", "xml"), localizedNameType.getLang());
+        StaxUtil.writeCharacters(writer, localizedNameType.getValue());
+        StaxUtil.writeEndElement(writer);
+    }
+
+    /**
+     * write an {@code SubjectType} to stream
+     *
+     * @param subject
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(SubjectType subject) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.SUBJECT.get(), ASSERTION_NSURI.get());
+
+        SubjectType.STSubType subType = subject.getSubType();
+        if (subType != null) {
+            BaseIDAbstractType baseID = subType.getBaseID();
+            if (baseID instanceof NameIDType) {
+                NameIDType nameIDType = (NameIDType) baseID;
+                write(nameIDType, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.NAMEID.get(), ASSERTION_PREFIX));
+            }
+            EncryptedElementType enc = subType.getEncryptedID();
+            if (enc != null)
+                throw new RuntimeException("NYI");
+            List<SubjectConfirmationType> confirmations = subType.getConfirmation();
+            if (confirmations != null) {
+                for (SubjectConfirmationType confirmation : confirmations) {
+                    write(confirmation);
+                }
+            }
+        }
+        List<SubjectConfirmationType> subjectConfirmations = subject.getConfirmation();
+        if (subjectConfirmations != null) {
+            for (SubjectConfirmationType subjectConfirmationType : subjectConfirmations) {
+                write(subjectConfirmationType);
+            }
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    private void write(SubjectConfirmationType subjectConfirmationType) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.SUBJECT_CONFIRMATION.get(),
+                ASSERTION_NSURI.get());
+
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.METHOD.get(), subjectConfirmationType.getMethod());
+
+        BaseIDAbstractType baseID = subjectConfirmationType.getBaseID();
+        if (baseID != null) {
+            write(baseID);
+        }
+        NameIDType nameIDType = subjectConfirmationType.getNameID();
+        if (nameIDType != null) {
+            write(nameIDType, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.NAMEID.get(), ASSERTION_PREFIX));
+        }
+        SubjectConfirmationDataType subjectConfirmationData = subjectConfirmationType.getSubjectConfirmationData();
+        if (subjectConfirmationData != null) {
+            write(subjectConfirmationData);
+        }
+        StaxUtil.writeEndElement(writer);
+    }
+
+    private void write(SubjectConfirmationDataType subjectConfirmationData) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.SUBJECT_CONFIRMATION_DATA.get(),
+                ASSERTION_NSURI.get());
+
+        // Let us look at attributes
+        String inResponseTo = subjectConfirmationData.getInResponseTo();
+        if (StringUtil.isNotNull(inResponseTo)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.IN_RESPONSE_TO.get(), inResponseTo);
+        }
+
+        XMLGregorianCalendar notBefore = subjectConfirmationData.getNotBefore();
+        if (notBefore != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_BEFORE.get(), notBefore.toString());
+        }
+
+        XMLGregorianCalendar notOnOrAfter = subjectConfirmationData.getNotOnOrAfter();
+        if (notOnOrAfter != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_ON_OR_AFTER.get(), notOnOrAfter.toString());
+        }
+
+        String recipient = subjectConfirmationData.getRecipient();
+        if (StringUtil.isNotNull(recipient)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.RECIPIENT.get(), recipient);
+        }
+
+        String address = subjectConfirmationData.getAddress();
+        if (StringUtil.isNotNull(address)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.ADDRESS.get(), address);
+        }
+
+        if (subjectConfirmationData instanceof KeyInfoConfirmationDataType) {
+            KeyInfoConfirmationDataType kicd = (KeyInfoConfirmationDataType) subjectConfirmationData;
+            KeyInfoType keyInfo = (KeyInfoType) kicd.getAnyType();
+            StaxWriterUtil.writeKeyInfo(writer, keyInfo);
+            /*
+             * if (keyInfo.getContent() == null || keyInfo.getContent().size() == 0) throw new
+             * ProcessingException(ErrorCodes.WRITER_INVALID_KEYINFO_NULL_CONTENT); StaxUtil.writeStartElement(this.writer,
+             * WSTrustConstants.XMLDSig.DSIG_PREFIX, WSTrustConstants.XMLDSig.KEYINFO, WSTrustConstants.XMLDSig.DSIG_NS);
+             * StaxUtil.writeNameSpace(this.writer, WSTrustConstants.XMLDSig.DSIG_PREFIX, WSTrustConstants.XMLDSig.DSIG_NS); //
+             * write the keyInfo content. Object content = keyInfo.getContent().get(0); if (content instanceof Element) {
+             * Element element = (Element) keyInfo.getContent().get(0); StaxUtil.writeDOMNode(this.writer, element); } else if
+             * (content instanceof X509DataType) { X509DataType type = (X509DataType) content; if (type.getDataObjects().size()
+             * == 0) throw new ProcessingException(ErrorCodes.WRITER_NULL_VALUE + "X509Data");
+             * StaxUtil.writeStartElement(this.writer, WSTrustConstants.XMLDSig.DSIG_PREFIX, WSTrustConstants.XMLDSig.X509DATA,
+             * WSTrustConstants.XMLDSig.DSIG_NS); Object obj = type.getDataObjects().get(0); if (obj instanceof Element) {
+             * Element element = (Element) obj; StaxUtil.writeDOMElement(this.writer, element); } else if (obj instanceof
+             * X509CertificateType) { X509CertificateType cert = (X509CertificateType) obj;
+             * StaxUtil.writeStartElement(this.writer, WSTrustConstants.XMLDSig.DSIG_PREFIX, WSTrustConstants.XMLDSig.X509CERT,
+             * WSTrustConstants.XMLDSig.DSIG_NS); StaxUtil.writeCharacters(this.writer, new
+             * String(cert.getEncodedCertificate())); StaxUtil.writeEndElement(this.writer); }
+             * StaxUtil.writeEndElement(this.writer); } StaxUtil.writeEndElement(this.writer);
+             */
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    private void write(BaseIDAbstractType baseId) throws ProcessingException {
+        throw logger.notImplementedYet("Method not implemented.");
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLAssertionWriter.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLAssertionWriter.java
new file mode 100755
index 0000000000..af646e2eca
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLAssertionWriter.java
@@ -0,0 +1,285 @@
+/*
+ * JBoss, Home of Professional Open Source. Copyright 2008, Red Hat Middleware LLC, and individual contributors as
+ * indicated by the @author tags. See the copyright.txt file in the distribution for a full listing of individual
+ * contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any
+ * later version.
+ *
+ * This software is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
+ * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License along with this software; if not, write to
+ * the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA, or see the FSF site:
+ * http://www.fsf.org.
+ */
+package org.keycloak.saml.processing.core.saml.v2.writers;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.dom.saml.v2.assertion.AdviceType;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType.ASTChoiceType;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.assertion.AudienceRestrictionType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextClassRefType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextDeclRefType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextDeclType;
+import org.keycloak.dom.saml.v2.assertion.AuthnContextType;
+import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
+import org.keycloak.dom.saml.v2.assertion.ConditionAbstractType;
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedElementType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.StatementAbstractType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.saml.v2.assertion.URIType;
+import org.w3c.dom.Element;
+
+import javax.xml.datatype.XMLGregorianCalendar;
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamWriter;
+import java.net.URI;
+import java.util.List;
+import java.util.Set;
+
+import static org.keycloak.saml.common.constants.JBossSAMLURIConstants.ASSERTION_NSURI;
+
+/**
+ * Write the SAML Assertion to stream
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 2, 2010
+ */
+public class SAMLAssertionWriter extends BaseWriter {
+
+    public SAMLAssertionWriter(XMLStreamWriter writer) {
+        super(writer);
+    }
+
+    /**
+     * Write an {@code AssertionType} to stream
+     *
+     * @param assertion
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public void write(AssertionType assertion) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ASSERTION.get(), ASSERTION_NSURI.get());
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ASSERTION_NSURI.get());
+        StaxUtil.writeDefaultNameSpace(writer, ASSERTION_NSURI.get());
+
+        // Attributes
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), assertion.getID());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.VERSION.get(), assertion.getVersion());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), assertion.getIssueInstant().toString());
+
+        NameIDType issuer = assertion.getIssuer();
+        if (issuer != null)
+            write(issuer, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX));
+
+        Element sig = assertion.getSignature();
+        if (sig != null)
+            StaxUtil.writeDOMElement(writer, sig);
+
+        SubjectType subject = assertion.getSubject();
+        if (subject != null) {
+            write(subject);
+        }
+
+        ConditionsType conditions = assertion.getConditions();
+        if (conditions != null) {
+            StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.CONDITIONS.get(), ASSERTION_NSURI.get());
+
+            if (conditions.getNotBefore() != null) {
+                StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_BEFORE.get(), conditions.getNotBefore().toString());
+            }
+
+            if (conditions.getNotOnOrAfter() != null) {
+                StaxUtil.writeAttribute(writer, JBossSAMLConstants.NOT_ON_OR_AFTER.get(), conditions.getNotOnOrAfter().toString());
+            }
+
+            List<ConditionAbstractType> typeOfConditions = conditions.getConditions();
+            if (typeOfConditions != null) {
+                for (ConditionAbstractType typeCondition : typeOfConditions) {
+                    if (typeCondition instanceof AudienceRestrictionType) {
+                        AudienceRestrictionType art = (AudienceRestrictionType) typeCondition;
+                        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUDIENCE_RESTRICTION.get(),
+                                ASSERTION_NSURI.get());
+                        List<URI> audiences = art.getAudience();
+                        if (audiences != null) {
+                            for (URI audience : audiences) {
+                                StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUDIENCE.get(),
+                                        ASSERTION_NSURI.get());
+                                StaxUtil.writeCharacters(writer, audience.toString());
+                                StaxUtil.writeEndElement(writer);
+                            }
+                        }
+
+                        StaxUtil.writeEndElement(writer);
+                    }
+                }
+            }
+
+            StaxUtil.writeEndElement(writer);
+        }
+
+        AdviceType advice = assertion.getAdvice();
+        if (advice != null)
+            throw logger.notImplementedYet("Advice");
+
+        Set<StatementAbstractType> statements = assertion.getStatements();
+        if (statements != null) {
+            for (StatementAbstractType statement : statements) {
+                if (statement instanceof AuthnStatementType) {
+                    write((AuthnStatementType) statement);
+                } else if (statement instanceof AttributeStatementType) {
+                    write((AttributeStatementType) statement);
+                } else
+                    throw logger.writerUnknownTypeError(statement.getClass().getName());
+            }
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write an {@code StatementAbstractType} to stream
+     *
+     * @param statement
+     *
+     * @throws ProcessingException
+     */
+    public void write(StatementAbstractType statement) throws ProcessingException {
+        // TODO: handle this section
+        throw logger.notImplementedYet("NYI");
+    }
+
+    public void write(AttributeStatementType statement) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.ATTRIBUTE_STATEMENT.get(),
+                ASSERTION_NSURI.get());
+
+        List<ASTChoiceType> attributes = statement.getAttributes();
+        if (attributes != null) {
+            for (ASTChoiceType attr : attributes) {
+                AttributeType attributeType = attr.getAttribute();
+                if (attributeType != null) {
+                    write(attributeType);
+                }
+                EncryptedElementType encType = attr.getEncryptedAssertion();
+                if (encType != null)
+                    throw logger.notImplementedYet("EncryptedElementType");
+            }
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write an {@code AuthnStatementType} to stream
+     *
+     * @param authnStatement
+     *
+     * @throws ProcessingException
+     */
+    public void write(AuthnStatementType authnStatement) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUTHN_STATEMENT.get(), ASSERTION_NSURI.get());
+
+        XMLGregorianCalendar authnInstant = authnStatement.getAuthnInstant();
+        if (authnInstant != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.AUTHN_INSTANT.get(), authnInstant.toString());
+        }
+
+        String sessionIndex = authnStatement.getSessionIndex();
+
+        if (sessionIndex != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.SESSION_INDEX.get(), sessionIndex);
+        }
+
+        AuthnContextType authnContext = authnStatement.getAuthnContext();
+        if (authnContext != null)
+            write(authnContext);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write an {@code AuthnContextType} to stream
+     *
+     * @param authContext
+     *
+     * @throws ProcessingException
+     */
+    public void write(AuthnContextType authContext) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUTHN_CONTEXT.get(), ASSERTION_NSURI.get());
+
+        AuthnContextType.AuthnContextTypeSequence sequence = authContext.getSequence();
+        if (sequence != null) {
+            AuthnContextClassRefType authnContextClassRefType = sequence.getClassRef();
+            if (authnContextClassRefType != null) {
+                StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUTHN_CONTEXT_CLASS_REF.get(),
+                        ASSERTION_NSURI.get());
+                StaxUtil.writeCharacters(writer, authnContextClassRefType.getValue().toASCIIString());
+                StaxUtil.writeEndElement(writer);
+            }
+
+            Set<URIType> uriTypes = sequence.getURIType();
+            if (uriTypes != null) {
+                for (URIType uriType : uriTypes) {
+                    if (uriType instanceof AuthnContextDeclType) {
+                        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
+                                JBossSAMLConstants.AUTHN_CONTEXT_DECLARATION.get(), ASSERTION_NSURI.get());
+                        StaxUtil.writeCharacters(writer, uriType.getValue().toASCIIString());
+                        StaxUtil.writeEndElement(writer);
+                    }
+                    if (uriType instanceof AuthnContextDeclRefType) {
+                        StaxUtil.writeStartElement(writer, ASSERTION_PREFIX,
+                                JBossSAMLConstants.AUTHN_CONTEXT_DECLARATION_REF.get(), ASSERTION_NSURI.get());
+                        StaxUtil.writeCharacters(writer, uriType.getValue().toASCIIString());
+                        StaxUtil.writeEndElement(writer);
+                    }
+                }
+            }
+        }
+
+        Set<URI> authAuthorities = authContext.getAuthenticatingAuthority();
+        if (authAuthorities != null) {
+            for (URI aa : authAuthorities) {
+                StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUTHENTICATING_AUTHORITY.get(),
+                        ASSERTION_NSURI.get());
+                StaxUtil.writeCharacters(writer, aa.toASCIIString());
+                StaxUtil.writeEndElement(writer);
+            }
+        }
+
+        Set<URIType> uriTypes = authContext.getURIType();
+        for (URIType uriType : uriTypes) {
+            if (uriType instanceof AuthnContextClassRefType) {
+                StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUTHN_CONTEXT_CLASS_REF.get(),
+                        ASSERTION_NSURI.get());
+                StaxUtil.writeCharacters(writer, uriType.getValue().toString());
+                StaxUtil.writeEndElement(writer);
+            } else if (uriType instanceof AuthnContextDeclRefType) {
+                StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUTHN_CONTEXT_DECLARATION_REF.get(),
+                        ASSERTION_NSURI.get());
+                StaxUtil.writeCharacters(writer, uriType.getValue().toString());
+                StaxUtil.writeEndElement(writer);
+            } else if (uriType instanceof AuthnContextDeclType) {
+                StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUTHN_CONTEXT_DECLARATION.get(),
+                        ASSERTION_NSURI.get());
+                StaxUtil.writeCharacters(writer, uriType.getValue().toString());
+                StaxUtil.writeEndElement(writer);
+            }
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLMetadataWriter.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLMetadataWriter.java
new file mode 100755
index 0000000000..802558baa8
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLMetadataWriter.java
@@ -0,0 +1,557 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.writers;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.metadata.AdditionalMetadataLocationType;
+import org.keycloak.dom.saml.v2.metadata.AffiliationDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.AttributeAuthorityDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.AttributeConsumingServiceType;
+import org.keycloak.dom.saml.v2.metadata.AuthnAuthorityDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.ContactType;
+import org.keycloak.dom.saml.v2.metadata.ContactTypeType;
+import org.keycloak.dom.saml.v2.metadata.EndpointType;
+import org.keycloak.dom.saml.v2.metadata.EntitiesDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.EntityDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.ExtensionsType;
+import org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType;
+import org.keycloak.dom.saml.v2.metadata.IndexedEndpointType;
+import org.keycloak.dom.saml.v2.metadata.KeyDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.KeyTypes;
+import org.keycloak.dom.saml.v2.metadata.LocalizedNameType;
+import org.keycloak.dom.saml.v2.metadata.LocalizedURIType;
+import org.keycloak.dom.saml.v2.metadata.OrganizationType;
+import org.keycloak.dom.saml.v2.metadata.PDPDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.RequestedAttributeType;
+import org.keycloak.dom.saml.v2.metadata.RoleDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType;
+import org.keycloak.dom.saml.v2.metadata.SSODescriptorType;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamWriter;
+import java.net.URI;
+import java.util.List;
+
+/**
+ * Write the SAML metadata elements
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 14, 2010
+ */
+public class SAMLMetadataWriter extends BaseWriter {
+
+    private final String METADATA_PREFIX = "md";
+
+    public SAMLMetadataWriter(XMLStreamWriter writer) {
+        super(writer);
+    }
+
+    public void writeEntitiesDescriptor(EntitiesDescriptorType entities) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ENTITIES_DESCRIPTOR.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        StaxUtil.writeDefaultNameSpace(writer, JBossSAMLURIConstants.METADATA_NSURI.get());
+        StaxUtil.writeNameSpace(writer, "md", JBossSAMLURIConstants.METADATA_NSURI.get());
+        StaxUtil.writeNameSpace(writer, "saml", JBossSAMLURIConstants.ASSERTION_NSURI.get());
+        StaxUtil.writeNameSpace(writer, "ds", JBossSAMLURIConstants.XMLDSIG_NSURI.get());
+
+        if (entities.getValidUntil() != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.VALID_UNTIL.get(), entities.getValidUntil().toString());
+        }
+        if (entities.getID() != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), entities.getID());
+        }
+
+        if (entities.getName() != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.NAME.get(), entities.getName());
+        }
+
+        Element signature = entities.getSignature();
+        if (signature != null) {
+            StaxUtil.writeDOMElement(writer, signature);
+        }
+        ExtensionsType extensions = entities.getExtensions();
+        if (extensions != null) {
+            StaxUtil.writeDOMElement(writer, extensions.getElement());
+        }
+
+        List<Object> entityDescriptors = entities.getEntityDescriptor();
+        for (Object ed : entityDescriptors) {
+            if (ed instanceof EntityDescriptorType) {
+                writeEntityDescriptor((EntityDescriptorType) ed);
+            } else
+                writeEntitiesDescriptor((EntitiesDescriptorType) ed);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeEntityDescriptor(EntityDescriptorType entityDescriptor) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ENTITY_DESCRIPTOR.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+        StaxUtil.writeDefaultNameSpace(writer, JBossSAMLURIConstants.METADATA_NSURI.get());
+        StaxUtil.writeNameSpace(writer, "md", JBossSAMLURIConstants.METADATA_NSURI.get());
+        StaxUtil.writeNameSpace(writer, "saml", JBossSAMLURIConstants.ASSERTION_NSURI.get());
+        StaxUtil.writeNameSpace(writer, "ds", JBossSAMLURIConstants.XMLDSIG_NSURI.get());
+
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ENTITY_ID.get(), entityDescriptor.getEntityID());
+        if (entityDescriptor.getValidUntil() != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.VALID_UNTIL.get(), entityDescriptor.getValidUntil().toString());
+        }
+        if (entityDescriptor.getID() != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), entityDescriptor.getID());
+        }
+
+        Element signature = entityDescriptor.getSignature();
+        if (signature != null) {
+            StaxUtil.writeDOMElement(writer, signature);
+        }
+        ExtensionsType extensions = entityDescriptor.getExtensions();
+        if (extensions != null) {
+            StaxUtil.writeDOMElement(writer, extensions.getElement());
+        }
+
+        List<EntityDescriptorType.EDTChoiceType> choiceTypes = entityDescriptor.getChoiceType();
+        for (EntityDescriptorType.EDTChoiceType edtChoice : choiceTypes) {
+            AffiliationDescriptorType affliationDesc = edtChoice.getAffiliationDescriptor();
+            if (affliationDesc != null)
+                throw logger.notImplementedYet("affliation"); // TODO: affiliation
+
+            List<EntityDescriptorType.EDTDescriptorChoiceType> edtDescChoices = edtChoice.getDescriptors();
+            for (EntityDescriptorType.EDTDescriptorChoiceType edtDescChoice : edtDescChoices) {
+                RoleDescriptorType roleDesc = edtDescChoice.getRoleDescriptor();
+
+                if (roleDesc != null)
+                    throw logger.notImplementedYet("Role Descriptor type");
+
+                IDPSSODescriptorType idpSSO = edtDescChoice.getIdpDescriptor();
+                if (idpSSO != null)
+                    write(idpSSO);
+
+                SPSSODescriptorType spSSO = edtDescChoice.getSpDescriptor();
+                if (spSSO != null)
+                    write(spSSO);
+
+                AttributeAuthorityDescriptorType attribAuth = edtDescChoice.getAttribDescriptor();
+                if (attribAuth != null)
+                    writeAttributeAuthorityDescriptor(attribAuth);
+
+                AuthnAuthorityDescriptorType authNDesc = edtDescChoice.getAuthnDescriptor();
+                if (authNDesc != null)
+                    throw logger.notImplementedYet("AuthnAuthorityDescriptorType");
+
+                PDPDescriptorType pdpDesc = edtDescChoice.getPdpDescriptor();
+                if (pdpDesc != null)
+                    throw logger.notImplementedYet("PDPDescriptorType");
+            }
+        }
+        OrganizationType organization = entityDescriptor.getOrganization();
+        if (organization != null) {
+            writeOrganization(organization);
+        }
+
+        List<ContactType> contactPersons = entityDescriptor.getContactPerson();
+        for (ContactType contact : contactPersons) {
+            write(contact);
+        }
+
+        List<AdditionalMetadataLocationType> addl = entityDescriptor.getAdditionalMetadataLocation();
+        if (addl.size() > 0)
+            throw logger.notImplementedYet("AdditionalMetadataLocationType");
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(SSODescriptorType ssoDescriptor) throws ProcessingException {
+        throw new RuntimeException("should not be called");
+    }
+
+    public void write(SPSSODescriptorType spSSODescriptor) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.SP_SSO_DESCRIPTOR.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+        StaxUtil.writeAttribute(writer, new QName(JBossSAMLConstants.PROTOCOL_SUPPORT_ENUMERATION.get()), spSSODescriptor
+                .getProtocolSupportEnumeration().get(0));
+
+        // Write the attributes
+        Boolean authnSigned = spSSODescriptor.isAuthnRequestsSigned();
+        if (authnSigned != null) {
+            StaxUtil.writeAttribute(writer, new QName(JBossSAMLConstants.AUTHN_REQUESTS_SIGNED.get()),
+                    authnSigned.toString());
+        }
+        Boolean wantAssertionsSigned = spSSODescriptor.isWantAssertionsSigned();
+        if (wantAssertionsSigned != null) {
+            StaxUtil.writeAttribute(writer, new QName(JBossSAMLConstants.WANT_ASSERTIONS_SIGNED.get()),
+                    wantAssertionsSigned.toString());
+        }
+
+        // Get the key descriptors
+        List<KeyDescriptorType> keyDescriptors = spSSODescriptor.getKeyDescriptor();
+        for (KeyDescriptorType keyDescriptor : keyDescriptors) {
+            writeKeyDescriptor(keyDescriptor);
+        }
+
+        List<EndpointType> sloServices = spSSODescriptor.getSingleLogoutService();
+        for (EndpointType endpoint : sloServices) {
+            writeSingleLogoutService(endpoint);
+        }
+
+        List<IndexedEndpointType> artifactResolutions = spSSODescriptor.getArtifactResolutionService();
+        for (IndexedEndpointType artifactResolution : artifactResolutions) {
+            writeArtifactResolutionService(artifactResolution);
+        }
+
+        List<String> nameIDFormats = spSSODescriptor.getNameIDFormat();
+        for (String nameIDFormat : nameIDFormats) {
+            writeNameIDFormat(nameIDFormat);
+        }
+
+        List<IndexedEndpointType> assertionConsumers = spSSODescriptor.getAssertionConsumerService();
+        for (IndexedEndpointType assertionConsumer : assertionConsumers) {
+            writeAssertionConsumerService(assertionConsumer);
+        }
+
+        List<AttributeConsumingServiceType> attributeConsumers = spSSODescriptor.getAttributeConsumingService();
+        for (AttributeConsumingServiceType attributeConsumer : attributeConsumers) {
+            writeAttributeConsumingService(attributeConsumer);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(IDPSSODescriptorType idpSSODescriptor) throws ProcessingException {
+        if (idpSSODescriptor == null)
+            throw new ProcessingException(logger.nullArgumentError("IDPSSODescriptorType"));
+
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.IDP_SSO_DESCRIPTOR.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        Boolean wantsAuthnRequestsSigned = idpSSODescriptor.isWantAuthnRequestsSigned();
+        if (wantsAuthnRequestsSigned != null) {
+            StaxUtil.writeAttribute(writer, new QName(JBossSAMLConstants.WANT_AUTHN_REQUESTS_SIGNED.get()),
+                    wantsAuthnRequestsSigned.toString());
+        }
+        writeProtocolSupportEnumeration(idpSSODescriptor.getProtocolSupportEnumeration());
+
+        List<IndexedEndpointType> artifactResolutionServices = idpSSODescriptor.getArtifactResolutionService();
+        for (IndexedEndpointType indexedEndpoint : artifactResolutionServices) {
+            writeArtifactResolutionService(indexedEndpoint);
+        }
+
+        List<EndpointType> sloServices = idpSSODescriptor.getSingleLogoutService();
+        for (EndpointType endpoint : sloServices) {
+            writeSingleLogoutService(endpoint);
+        }
+
+        List<EndpointType> ssoServices = idpSSODescriptor.getSingleSignOnService();
+        for (EndpointType endpoint : ssoServices) {
+            writeSingleSignOnService(endpoint);
+        }
+
+        List<String> nameIDFormats = idpSSODescriptor.getNameIDFormat();
+        for (String nameIDFormat : nameIDFormats) {
+            writeNameIDFormat(nameIDFormat);
+        }
+
+        List<AttributeType> attributes = idpSSODescriptor.getAttribute();
+        for (AttributeType attribType : attributes) {
+            write(attribType);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeAttributeAuthorityDescriptor(AttributeAuthorityDescriptorType attributeAuthority)
+            throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ATTRIBUTE_AUTHORITY_DESCRIPTOR.get(),
+                JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        writeProtocolSupportEnumeration(attributeAuthority.getProtocolSupportEnumeration());
+
+        Element signature = attributeAuthority.getSignature();
+        if (signature != null) {
+            StaxUtil.writeDOMElement(writer, signature);
+        }
+        ExtensionsType extensions = attributeAuthority.getExtensions();
+        if (extensions != null) {
+            StaxUtil.writeDOMElement(writer, extensions.getElement());
+        }
+
+        List<KeyDescriptorType> keyDescriptorList = attributeAuthority.getKeyDescriptor();
+        for (KeyDescriptorType keyDescriptor : keyDescriptorList) {
+            writeKeyDescriptor(keyDescriptor);
+        }
+
+        List<EndpointType> attributeServices = attributeAuthority.getAttributeService();
+        for (EndpointType endpoint : attributeServices) {
+            writeAttributeService(endpoint);
+        }
+
+        List<String> nameIDFormats = attributeAuthority.getNameIDFormat();
+        for (String nameIDFormat : nameIDFormats) {
+            writeNameIDFormat(nameIDFormat);
+        }
+
+        List<AttributeType> attributes = attributeAuthority.getAttribute();
+        for (AttributeType attributeType : attributes) {
+            write(attributeType);
+        }
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeArtifactResolutionService(IndexedEndpointType indexedEndpoint) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ARTIFACT_RESOLUTION_SERVICE.get(),
+                JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        writeIndexedEndpointType(indexedEndpoint);
+    }
+
+    public void writeAssertionConsumerService(IndexedEndpointType indexedEndpoint) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ASSERTION_CONSUMER_SERVICE.get(),
+                JBossSAMLURIConstants.METADATA_NSURI.get());
+        writeIndexedEndpointType(indexedEndpoint);
+    }
+
+    public void writeIndexedEndpointType(IndexedEndpointType indexedEndpoint) throws ProcessingException {
+        writeEndpointType(indexedEndpoint);
+        if (indexedEndpoint.isIsDefault() != null)
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISDEFAULT.get(), "" + indexedEndpoint.isIsDefault());
+
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.INDEX.get(), "" + indexedEndpoint.getIndex());
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeAttributeConsumingService(AttributeConsumingServiceType attributeConsumer) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ATTRIBUTE_CONSUMING_SERVICE.get(),
+                JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISDEFAULT.get(), "" + attributeConsumer.isIsDefault());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.INDEX.get(), "" + attributeConsumer.getIndex());
+
+        // Service Name
+        List<LocalizedNameType> serviceNames = attributeConsumer.getServiceName();
+        for (LocalizedNameType serviceName : serviceNames) {
+            writeLocalizedNameType(serviceName, new QName(JBossSAMLURIConstants.METADATA_NSURI.get(), JBossSAMLConstants.SERVICE_NAME.get(),
+                    METADATA_PREFIX));
+        }
+
+        List<LocalizedNameType> serviceDescriptions = attributeConsumer.getServiceDescription();
+        for (LocalizedNameType serviceDescription : serviceDescriptions) {
+            writeLocalizedNameType(serviceDescription,
+                    new QName(JBossSAMLURIConstants.METADATA_NSURI.get(), JBossSAMLConstants.SERVICE_DESCRIPTION.get(), METADATA_PREFIX));
+        }
+
+        List<RequestedAttributeType> requestedAttributes = attributeConsumer.getRequestedAttribute();
+        for (RequestedAttributeType requestedAttribute : requestedAttributes) {
+            StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.REQUESTED_ATTRIBUTE.get(),
+                    JBossSAMLURIConstants.METADATA_NSURI.get());
+            Boolean isRequired = requestedAttribute.isIsRequired();
+            if (isRequired != null) {
+                StaxUtil.writeAttribute(writer, new QName(JBossSAMLConstants.IS_REQUIRED.get()), isRequired.toString());
+            }
+            writeAttributeTypeWithoutRootTag(requestedAttribute);
+            StaxUtil.writeEndElement(writer);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeOrganization(OrganizationType org) throws ProcessingException {
+        if (org == null)
+            throw new ProcessingException(logger.nullArgumentError("Organization"));
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ORGANIZATION.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        ExtensionsType extensions = org.getExtensions();
+        if (extensions != null) {
+            StaxUtil.writeDOMElement(writer, extensions.getElement());
+        }
+
+        // Write the name
+        List<LocalizedNameType> nameList = org.getOrganizationName();
+        for (LocalizedNameType localName : nameList) {
+            StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ORGANIZATION_NAME.get(),
+                    JBossSAMLURIConstants.METADATA_NSURI.get());
+
+            writeLocalizedType(localName);
+        }
+
+        // Write the display name
+        List<LocalizedNameType> displayNameList = org.getOrganizationDisplayName();
+        for (LocalizedNameType localName : displayNameList) {
+            StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ORGANIZATION_DISPLAY_NAME.get(),
+                    JBossSAMLURIConstants.METADATA_NSURI.get());
+            writeLocalizedType(localName);
+        }
+
+        // Write the url
+        List<LocalizedURIType> uriList = org.getOrganizationURL();
+        for (LocalizedURIType uri : uriList) {
+            StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ORGANIZATION_URL.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+
+            String lang = uri.getLang();
+            String val = uri.getValue().toString();
+            StaxUtil.writeAttribute(writer, new QName(JBossSAMLURIConstants.XML.get(), JBossSAMLConstants.LANG.get(), "xml"),
+                    lang);
+
+            StaxUtil.writeCharacters(writer, val);
+
+            StaxUtil.writeEndElement(writer);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(ContactType contact) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.CONTACT_PERSON.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        ExtensionsType extensions = contact.getExtensions();
+        if (extensions != null) {
+            StaxUtil.writeDOMElement(writer, extensions.getElement());
+        }
+        ContactTypeType attribs = contact.getContactType();
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.CONTACT_TYPE.get(), attribs.value());
+
+        // Write the name
+        String company = contact.getCompany();
+        if (company != null) {
+            StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.COMPANY.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+            StaxUtil.writeCharacters(writer, company);
+            StaxUtil.writeEndElement(writer);
+        }
+        String givenName = contact.getGivenName();
+        if (givenName != null) {
+            StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.GIVEN_NAME.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+            StaxUtil.writeCharacters(writer, givenName);
+            StaxUtil.writeEndElement(writer);
+        }
+
+        String surName = contact.getSurName();
+        if (surName != null) {
+            StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.SURNAME.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+            StaxUtil.writeCharacters(writer, surName);
+            StaxUtil.writeEndElement(writer);
+        }
+
+        List<String> emailAddresses = contact.getEmailAddress();
+        for (String email : emailAddresses) {
+            StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.EMAIL_ADDRESS.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+            StaxUtil.writeCharacters(writer, email);
+            StaxUtil.writeEndElement(writer);
+        }
+
+        List<String> tels = contact.getTelephoneNumber();
+        for (String telephone : tels) {
+            StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.TELEPHONE_NUMBER.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+            StaxUtil.writeCharacters(writer, telephone);
+            StaxUtil.writeEndElement(writer);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeKeyDescriptor(KeyDescriptorType keyDescriptor) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.KEY_DESCRIPTOR.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        KeyTypes keyTypes = keyDescriptor.getUse();
+        if (keyTypes != null)
+            StaxUtil.writeAttribute(writer, new QName(JBossSAMLConstants.USE.get()), keyTypes.value());
+
+        Element keyInfo = keyDescriptor.getKeyInfo();
+        StaxUtil.writeDOMElement(writer, keyInfo);
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeAttributeService(EndpointType endpoint) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.ATTRIBUTE_SERVICE.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        writeEndpointType(endpoint);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeSingleLogoutService(EndpointType endpoint) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.SINGLE_LOGOUT_SERVICE.get(),
+                JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        writeEndpointType(endpoint);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void writeSingleSignOnService(EndpointType endpoint) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.SINGLE_SIGNON_SERVICE.get(),
+                JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        writeEndpointType(endpoint);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    private void writeProtocolSupportEnumeration(List<String> protoEnum) throws ProcessingException {
+        if (protoEnum.size() > 0) {
+            StringBuilder sb = new StringBuilder();
+            for (String str : protoEnum) {
+                sb.append(str).append(" ");
+            }
+
+            StaxUtil.writeAttribute(writer, new QName(JBossSAMLConstants.PROTOCOL_SUPPORT_ENUMERATION.get()), sb.toString()
+                    .trim());
+        }
+    }
+
+    private void writeEndpointType(EndpointType endpoint) throws ProcessingException {
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.BINDING.get(), endpoint.getBinding().toString());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.LOCATION.get(), endpoint.getLocation().toString());
+
+        URI responseLocation = endpoint.getResponseLocation();
+        if (responseLocation != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.RESPONSE_LOCATION.get(), responseLocation.toString());
+        }
+    }
+
+    private void writeLocalizedType(LocalizedNameType localName) throws ProcessingException {
+        String lang = localName.getLang();
+        String val = localName.getValue();
+        StaxUtil.writeAttribute(writer, new QName(JBossSAMLURIConstants.XML.get(), JBossSAMLConstants.LANG.get(), "xml"), lang);
+
+        StaxUtil.writeCharacters(writer, val);
+
+        StaxUtil.writeEndElement(writer);
+    }
+
+    private void writeNameIDFormat(String nameIDFormat) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, METADATA_PREFIX, JBossSAMLConstants.NAMEID_FORMAT.get(), JBossSAMLURIConstants.METADATA_NSURI.get());
+
+        StaxUtil.writeCharacters(writer, nameIDFormat);
+        StaxUtil.writeEndElement(writer);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLRequestWriter.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLRequestWriter.java
new file mode 100755
index 0000000000..a6bfbe7ad7
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLRequestWriter.java
@@ -0,0 +1,335 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.saml.processing.core.saml.v2.writers;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.assertion.SubjectType;
+import org.keycloak.dom.saml.v2.protocol.ArtifactResolveType;
+import org.keycloak.dom.saml.v2.protocol.AttributeQueryType;
+import org.keycloak.dom.saml.v2.protocol.AuthnContextComparisonType;
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
+import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
+import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
+import org.keycloak.dom.saml.v2.protocol.RequestedAuthnContextType;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamWriter;
+import java.net.URI;
+import java.util.List;
+
+import static org.keycloak.saml.common.constants.JBossSAMLURIConstants.ASSERTION_NSURI;
+import static org.keycloak.saml.common.constants.JBossSAMLURIConstants.PROTOCOL_NSURI;
+
+/**
+ * Writes a SAML2 Request Type to Stream
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 2, 2010
+ */
+public class SAMLRequestWriter extends BaseWriter {
+
+    public SAMLRequestWriter(XMLStreamWriter writer) {
+        super(writer);
+    }
+
+    /**
+     * Write a {@code AuthnRequestType } to stream
+     *
+     * @param request
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public void write(AuthnRequestType request) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.AUTHN_REQUEST.get(), PROTOCOL_NSURI.get());
+        StaxUtil.writeNameSpace(writer, PROTOCOL_PREFIX, PROTOCOL_NSURI.get());
+        StaxUtil.writeDefaultNameSpace(writer, ASSERTION_NSURI.get());
+
+        // Attributes
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), request.getID());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.VERSION.get(), request.getVersion());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), request.getIssueInstant().toString());
+
+        URI destination = request.getDestination();
+        if (destination != null)
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.DESTINATION.get(), destination.toASCIIString());
+
+        String consent = request.getConsent();
+        if (StringUtil.isNotNull(consent))
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.CONSENT.get(), consent);
+
+        URI assertionURL = request.getAssertionConsumerServiceURL();
+        if (assertionURL != null)
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.ASSERTION_CONSUMER_SERVICE_URL.get(),
+                    assertionURL.toASCIIString());
+
+        Boolean forceAuthn = request.isForceAuthn();
+        if (forceAuthn != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.FORCE_AUTHN.get(), forceAuthn.toString());
+        }
+
+        Boolean isPassive = request.isIsPassive();
+        if (isPassive != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.IS_PASSIVE.get(), isPassive.toString());
+        }
+
+        URI protocolBinding = request.getProtocolBinding();
+        if (protocolBinding != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.PROTOCOL_BINDING.get(), protocolBinding.toString());
+        }
+
+        Integer assertionIndex = request.getAssertionConsumerServiceIndex();
+        if (assertionIndex != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.ASSERTION_CONSUMER_SERVICE_INDEX.get(),
+                    assertionIndex.toString());
+        }
+
+        Integer attrIndex = request.getAttributeConsumingServiceIndex();
+        if (attrIndex != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.ATTRIBUTE_CONSUMING_SERVICE_INDEX.get(), attrIndex.toString());
+        }
+        String providerName = request.getProviderName();
+        if (StringUtil.isNotNull(providerName)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.PROVIDER_NAME.get(), providerName);
+        }
+
+        NameIDType issuer = request.getIssuer();
+        if (issuer != null) {
+            write(issuer, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX));
+        }
+
+        Element sig = request.getSignature();
+        if (sig != null) {
+            StaxUtil.writeDOMElement(writer, sig);
+        }
+
+        NameIDPolicyType nameIDPolicy = request.getNameIDPolicy();
+        if (nameIDPolicy != null) {
+            write(nameIDPolicy);
+        }
+
+        RequestedAuthnContextType requestedAuthnContext = request.getRequestedAuthnContext();
+        if (requestedAuthnContext != null) {
+            write(requestedAuthnContext);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write a {@code LogoutRequestType} to stream
+     *
+     * @param logOutRequest
+     *
+     * @throws ProcessingException
+     */
+    public void write(LogoutRequestType logOutRequest) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.LOGOUT_REQUEST.get(), PROTOCOL_NSURI.get());
+
+        StaxUtil.writeNameSpace(writer, PROTOCOL_PREFIX, PROTOCOL_NSURI.get());
+        StaxUtil.writeDefaultNameSpace(writer, ASSERTION_NSURI.get());
+
+        // Attributes
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), logOutRequest.getID());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.VERSION.get(), logOutRequest.getVersion());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), logOutRequest.getIssueInstant().toString());
+
+        URI destination = logOutRequest.getDestination();
+        if (destination != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.DESTINATION.get(), destination.toASCIIString());
+        }
+
+        String consent = logOutRequest.getConsent();
+        if (StringUtil.isNotNull(consent))
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.CONSENT.get(), consent);
+
+        NameIDType issuer = logOutRequest.getIssuer();
+        write(issuer, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX));
+
+        Element signature = logOutRequest.getSignature();
+        if (signature != null) {
+            StaxUtil.writeDOMElement(writer, signature);
+        }
+
+        NameIDType nameID = logOutRequest.getNameID();
+        if (nameID != null) {
+            write(nameID, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.NAMEID.get(), ASSERTION_PREFIX));
+        }
+
+        List<String> sessionIndexes = logOutRequest.getSessionIndex();
+
+        for (String sessionIndex : sessionIndexes) {
+            StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.SESSION_INDEX.get(), PROTOCOL_NSURI.get());
+
+            StaxUtil.writeCharacters(writer, sessionIndex);
+
+            StaxUtil.writeEndElement(writer);
+            StaxUtil.flush(writer);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write a {@code NameIDPolicyType} to stream
+     *
+     * @param nameIDPolicy
+     *
+     * @throws ProcessingException
+     */
+    public void write(NameIDPolicyType nameIDPolicy) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.NAMEID_POLICY.get(), PROTOCOL_NSURI.get());
+
+        URI format = nameIDPolicy.getFormat();
+        if (format != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.FORMAT.get(), format.toASCIIString());
+        }
+
+        String spNameQualifier = nameIDPolicy.getSPNameQualifier();
+        if (StringUtil.isNotNull(spNameQualifier)) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.SP_NAME_QUALIFIER.get(), spNameQualifier);
+        }
+
+        Boolean allowCreate = nameIDPolicy.isAllowCreate();
+        if (allowCreate != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.ALLOW_CREATE.get(), allowCreate.toString());
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write a {@code RequestedAuthnContextType} to stream
+     *
+     * @param requestedAuthnContextType
+     *
+     * @throws ProcessingException
+     */
+    public void write(RequestedAuthnContextType requestedAuthnContextType) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.REQUESTED_AUTHN_CONTEXT.get(), PROTOCOL_NSURI.get());
+
+        AuthnContextComparisonType comparison = requestedAuthnContextType.getComparison();
+
+        if (comparison != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.COMPARISON.get(), comparison.value());
+        }
+
+        List<String> authnContextClassRef = requestedAuthnContextType.getAuthnContextClassRef();
+
+        if (authnContextClassRef != null && !authnContextClassRef.isEmpty()) {
+            for (String classRef : authnContextClassRef) {
+                StaxUtil.writeStartElement(writer, ASSERTION_PREFIX, JBossSAMLConstants.AUTHN_CONTEXT_CLASS_REF.get(), ASSERTION_NSURI.get());
+                StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ASSERTION_NSURI.get());
+                StaxUtil.writeCharacters(writer, classRef);
+                StaxUtil.writeEndElement(writer);
+            }
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(ArtifactResolveType request) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.ARTIFACT_RESOLVE.get(), PROTOCOL_NSURI.get());
+        StaxUtil.writeNameSpace(writer, PROTOCOL_PREFIX, PROTOCOL_NSURI.get());
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ASSERTION_NSURI.get());
+        StaxUtil.writeDefaultNameSpace(writer, ASSERTION_NSURI.get());
+
+        // Attributes
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), request.getID());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.VERSION.get(), request.getVersion());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), request.getIssueInstant().toString());
+
+        URI destination = request.getDestination();
+        if (destination != null)
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.DESTINATION.get(), destination.toASCIIString());
+
+        String consent = request.getConsent();
+        if (StringUtil.isNotNull(consent))
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.CONSENT.get(), consent);
+
+        NameIDType issuer = request.getIssuer();
+        if (issuer != null) {
+            write(issuer, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX));
+        }
+        Element sig = request.getSignature();
+        if (sig != null) {
+            StaxUtil.writeDOMElement(writer, sig);
+        }
+        String artifact = request.getArtifact();
+        if (StringUtil.isNotNull(artifact)) {
+            StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.ARTIFACT.get(), PROTOCOL_NSURI.get());
+            StaxUtil.writeCharacters(writer, artifact);
+            StaxUtil.writeEndElement(writer);
+        }
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(AttributeQueryType request) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.ATTRIBUTE_QUERY.get(), PROTOCOL_NSURI.get());
+        StaxUtil.writeNameSpace(writer, PROTOCOL_PREFIX, PROTOCOL_NSURI.get());
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, ASSERTION_NSURI.get());
+        StaxUtil.writeDefaultNameSpace(writer, ASSERTION_NSURI.get());
+
+        // Attributes
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), request.getID());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.VERSION.get(), request.getVersion());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), request.getIssueInstant().toString());
+
+        URI destination = request.getDestination();
+        if (destination != null)
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.DESTINATION.get(), destination.toASCIIString());
+
+        String consent = request.getConsent();
+        if (StringUtil.isNotNull(consent))
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.CONSENT.get(), consent);
+
+        NameIDType issuer = request.getIssuer();
+        if (issuer != null) {
+            write(issuer, new QName(ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX));
+        }
+        Element sig = request.getSignature();
+        if (sig != null) {
+            StaxUtil.writeDOMElement(writer, sig);
+        }
+        SubjectType subject = request.getSubject();
+        if (subject != null) {
+            write(subject);
+        }
+        List<AttributeType> attributes = request.getAttribute();
+        for (AttributeType attr : attributes) {
+            write(attr);
+        }
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLResponseWriter.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLResponseWriter.java
new file mode 100755
index 0000000000..1c4d3a605e
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/saml/v2/writers/SAMLResponseWriter.java
@@ -0,0 +1,264 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.saml.v2.writers;
+
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.StaxUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.EncryptedAssertionType;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.ArtifactResponseType;
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
+import org.keycloak.dom.saml.v2.protocol.StatusDetailType;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusType;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.w3c.dom.Element;
+
+import javax.xml.namespace.QName;
+import javax.xml.stream.XMLStreamWriter;
+import java.net.URI;
+import java.util.List;
+
+/**
+ * Write a SAML Response to stream
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 2, 2010
+ */
+public class SAMLResponseWriter extends BaseWriter {
+
+    private final SAMLAssertionWriter assertionWriter;
+
+    public SAMLResponseWriter(XMLStreamWriter writer) {
+        super(writer);
+        this.assertionWriter = new SAMLAssertionWriter(writer);
+    }
+
+    /**
+     * Write a {@code ResponseType} to stream
+     *
+     * @param response
+     * @param out
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public void write(ResponseType response) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.RESPONSE.get(), JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+
+        StaxUtil.writeNameSpace(writer, PROTOCOL_PREFIX, JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, JBossSAMLURIConstants.ASSERTION_NSURI.get());
+
+        writeBaseAttributes(response);
+
+        NameIDType issuer = response.getIssuer();
+        if (issuer != null) {
+            write(issuer, new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX));
+        }
+
+        Element sig = response.getSignature();
+        if (sig != null) {
+            StaxUtil.writeDOMElement(writer, sig);
+        }
+
+        StatusType status = response.getStatus();
+        write(status);
+
+        List<ResponseType.RTChoiceType> choiceTypes = response.getAssertions();
+        if (choiceTypes != null) {
+            for (ResponseType.RTChoiceType choiceType : choiceTypes) {
+                AssertionType assertion = choiceType.getAssertion();
+                if (assertion != null) {
+                    assertionWriter.write(assertion);
+                }
+
+                EncryptedAssertionType encryptedAssertion = choiceType.getEncryptedAssertion();
+                if (encryptedAssertion != null) {
+                    Element encElement = encryptedAssertion.getEncryptedElement();
+                    StaxUtil.writeDOMElement(writer, encElement);
+                }
+            }
+        }
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    public void write(ArtifactResponseType response) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.ARTIFACT_RESPONSE.get(), JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+
+        StaxUtil.writeNameSpace(writer, PROTOCOL_PREFIX, JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+        StaxUtil.writeNameSpace(writer, ASSERTION_PREFIX, JBossSAMLURIConstants.ASSERTION_NSURI.get());
+        StaxUtil.writeDefaultNameSpace(writer, JBossSAMLURIConstants.ASSERTION_NSURI.get());
+
+        writeBaseAttributes(response);
+
+        NameIDType issuer = response.getIssuer();
+        if (issuer != null) {
+            write(issuer, new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX));
+        }
+
+        Element sig = response.getSignature();
+        if (sig != null) {
+            StaxUtil.writeDOMElement(writer, sig);
+        }
+
+        StatusType status = response.getStatus();
+        if (status != null) {
+            write(status);
+        }
+        Object anyObj = response.getAny();
+        if (anyObj instanceof AuthnRequestType) {
+            AuthnRequestType authn = (AuthnRequestType) anyObj;
+            SAMLRequestWriter requestWriter = new SAMLRequestWriter(writer);
+            requestWriter.write(authn);
+        } else if (anyObj instanceof ResponseType) {
+            ResponseType rt = (ResponseType) anyObj;
+            write(rt);
+        }
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write a {@code StatusResponseType}
+     *
+     * @param response
+     * @param qname QName of the starting element
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(StatusResponseType response, QName qname) throws ProcessingException {
+        if (qname == null) {
+            StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.STATUS_RESPONSE_TYPE.get(),
+                    JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+        } else {
+            StaxUtil.writeStartElement(writer, qname.getPrefix(), qname.getLocalPart(), qname.getNamespaceURI());
+        }
+
+        StaxUtil.writeNameSpace(writer, PROTOCOL_PREFIX, JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+        StaxUtil.writeDefaultNameSpace(writer, JBossSAMLURIConstants.ASSERTION_NSURI.get());
+
+        writeBaseAttributes(response);
+
+        NameIDType issuer = response.getIssuer();
+        write(issuer, new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ISSUER.get(), ASSERTION_PREFIX));
+
+        StatusType status = response.getStatus();
+        write(status);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write a {@code StatusType} to stream
+     *
+     * @param status
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(StatusType status) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.STATUS.get(), JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+
+        StatusCodeType statusCodeType = status.getStatusCode();
+        write(statusCodeType);
+
+        String statusMessage = status.getStatusMessage();
+        if (StringUtil.isNotNull(statusMessage)) {
+            StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.STATUS_MESSAGE.get(), JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+            StaxUtil.writeEndElement(writer);
+        }
+
+        StatusDetailType statusDetail = status.getStatusDetail();
+        if (statusDetail != null)
+            write(statusDetail);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write a {@code StatusCodeType} to stream
+     *
+     * @param statusCodeType
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(StatusCodeType statusCodeType) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.STATUS_CODE.get(), JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+
+        URI value = statusCodeType.getValue();
+        if (value != null) {
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.VALUE.get(), value.toASCIIString());
+        }
+        StatusCodeType subStatusCode = statusCodeType.getStatusCode();
+        if (subStatusCode != null)
+            write(subStatusCode);
+
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write a {@code StatusDetailType} to stream
+     *
+     * @param statusDetailType
+     * @param out
+     *
+     * @throws ProcessingException
+     */
+    public void write(StatusDetailType statusDetailType) throws ProcessingException {
+        StaxUtil.writeStartElement(writer, PROTOCOL_PREFIX, JBossSAMLConstants.STATUS_CODE.get(), JBossSAMLURIConstants.PROTOCOL_NSURI.get());
+        StaxUtil.writeEndElement(writer);
+        StaxUtil.flush(writer);
+    }
+
+    /**
+     * Write the common attributes for all response types
+     *
+     * @param statusResponse
+     *
+     * @throws ProcessingException
+     */
+    private void writeBaseAttributes(StatusResponseType statusResponse) throws ProcessingException {
+        // Attributes
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ID.get(), statusResponse.getID());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.VERSION.get(), statusResponse.getVersion());
+        StaxUtil.writeAttribute(writer, JBossSAMLConstants.ISSUE_INSTANT.get(), statusResponse.getIssueInstant().toString());
+
+        String destination = statusResponse.getDestination();
+        if (StringUtil.isNotNull(destination))
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.DESTINATION.get(), destination);
+
+        String consent = statusResponse.getConsent();
+        if (StringUtil.isNotNull(consent))
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.CONSENT.get(), consent);
+
+        String inResponseTo = statusResponse.getInResponseTo();
+        if (StringUtil.isNotNull(inResponseTo))
+            StaxUtil.writeAttribute(writer, JBossSAMLConstants.IN_RESPONSE_TO.get(), inResponseTo);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/CoreConfigUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/CoreConfigUtil.java
new file mode 100755
index 0000000000..4aa281998c
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/CoreConfigUtil.java
@@ -0,0 +1,208 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.dom.saml.v2.metadata.EndpointType;
+import org.keycloak.dom.saml.v2.metadata.EntitiesDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.EntityDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.EntityDescriptorType.EDTChoiceType;
+import org.keycloak.dom.saml.v2.metadata.EntityDescriptorType.EDTDescriptorChoiceType;
+import org.keycloak.dom.saml.v2.metadata.IDPSSODescriptorType;
+import org.keycloak.dom.saml.v2.metadata.IndexedEndpointType;
+import org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType;
+import java.util.List;
+
+/**
+ * Utility for configuration
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Nov 13, 2009
+ */
+public class CoreConfigUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Get the first metadata descriptor for an IDP
+     *
+     * @param entitiesDescriptor
+     *
+     * @return
+     */
+    public static IDPSSODescriptorType getIDPDescriptor(EntitiesDescriptorType entitiesDescriptor) {
+        IDPSSODescriptorType idp = null;
+        List<Object> entitiesList = entitiesDescriptor.getEntityDescriptor();
+        for (Object theObject : entitiesList) {
+            if (theObject instanceof EntitiesDescriptorType) {
+                idp = getIDPDescriptor((EntitiesDescriptorType) theObject);
+            } else if (theObject instanceof EntityDescriptorType) {
+                idp = getIDPDescriptor((EntityDescriptorType) theObject);
+            }
+            if (idp != null) {
+                break;
+            }
+        }
+        return idp;
+    }
+
+    /**
+     * Get the IDP metadata descriptor from an entity descriptor
+     *
+     * @param entityDescriptor
+     *
+     * @return
+     */
+    public static IDPSSODescriptorType getIDPDescriptor(EntityDescriptorType entityDescriptor) {
+        List<EDTChoiceType> edtChoices = entityDescriptor.getChoiceType();
+        for (EDTChoiceType edt : edtChoices) {
+            List<EDTDescriptorChoiceType> edtDescriptors = edt.getDescriptors();
+            for (EDTDescriptorChoiceType edtDesc : edtDescriptors) {
+                IDPSSODescriptorType idpSSO = edtDesc.getIdpDescriptor();
+                if (idpSSO != null) {
+                    return idpSSO;
+                }
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Get the SP Descriptor from an entity descriptor
+     *
+     * @param entityDescriptor
+     *
+     * @return
+     */
+    public static SPSSODescriptorType getSPDescriptor(EntityDescriptorType entityDescriptor) {
+        List<EDTChoiceType> edtChoices = entityDescriptor.getChoiceType();
+        for (EDTChoiceType edt : edtChoices) {
+            List<EDTDescriptorChoiceType> edtDescriptors = edt.getDescriptors();
+            for (EDTDescriptorChoiceType edtDesc : edtDescriptors) {
+                SPSSODescriptorType spSSO = edtDesc.getSpDescriptor();
+                if (spSSO != null) {
+                    return spSSO;
+                }
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Given a binding uri, get the IDP identity url
+     *
+     * @param idp
+     * @param bindingURI
+     *
+     * @return
+     */
+    public static String getIdentityURL(IDPSSODescriptorType idp, String bindingURI) {
+        String identityURL = null;
+
+        List<EndpointType> endpoints = idp.getSingleSignOnService();
+        for (EndpointType endpoint : endpoints) {
+            if (endpoint.getBinding().toString().equals(bindingURI)) {
+                identityURL = endpoint.getLocation().toString();
+                break;
+            }
+
+        }
+        return identityURL;
+    }
+
+    /**
+     * Given a binding uri, get the IDP identity url
+     *
+     * @param idp
+     * @param bindingURI
+     *
+     * @return
+     */
+    public static String getLogoutURL(IDPSSODescriptorType idp, String bindingURI) {
+        String logoutURL = null;
+
+        List<EndpointType> endpoints = idp.getSingleLogoutService();
+        for (EndpointType endpoint : endpoints) {
+            if (endpoint.getBinding().toString().equals(bindingURI)) {
+                logoutURL = endpoint.getLocation().toString();
+                break;
+            }
+
+        }
+        return logoutURL;
+    }
+
+    /**
+     * Given a binding uri, get the IDP logout response url (used for global logouts)
+     */
+    public static String getLogoutResponseLocation(IDPSSODescriptorType idp, String bindingURI) {
+        String logoutResponseLocation = null;
+
+        List<EndpointType> endpoints = idp.getSingleLogoutService();
+        for (EndpointType endpoint : endpoints) {
+            if (endpoint.getBinding().toString().equals(bindingURI)) {
+                if (endpoint.getResponseLocation() != null) {
+                    logoutResponseLocation = endpoint.getResponseLocation().toString();
+                } else {
+                    logoutResponseLocation = null;
+                }
+
+                break;
+            }
+
+        }
+        return logoutResponseLocation;
+    }
+
+    /**
+     * Get the service url for the SP
+     *
+     * @param sp
+     * @param bindingURI
+     *
+     * @return
+     */
+    public static String getServiceURL(SPSSODescriptorType sp, String bindingURI) {
+        String serviceURL = null;
+
+        List<IndexedEndpointType> endpoints = sp.getAssertionConsumerService();
+        for (IndexedEndpointType endpoint : endpoints) {
+            if (endpoint.getBinding().toString().equals(bindingURI)) {
+                serviceURL = endpoint.getLocation().toString();
+                break;
+            }
+
+        }
+        return serviceURL;
+    }
+
+    private static void addAllEntityDescriptorsRecursively(List<EntityDescriptorType> resultList,
+                                                           EntitiesDescriptorType entitiesDescriptorType) {
+        List<Object> entities = entitiesDescriptorType.getEntityDescriptor();
+        for (Object o : entities) {
+            if (o instanceof EntitiesDescriptorType) {
+                addAllEntityDescriptorsRecursively(resultList, (EntitiesDescriptorType) o);
+            } else if (o instanceof EntityDescriptorType) {
+                resultList.add((EntityDescriptorType) o);
+            } else {
+                throw new IllegalArgumentException("Wrong type: " + o.getClass());
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/EncryptionKeyUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/EncryptionKeyUtil.java
new file mode 100755
index 0000000000..850997d527
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/EncryptionKeyUtil.java
@@ -0,0 +1,50 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
+import java.security.GeneralSecurityException;
+
+/**
+ * Utility to generate symmetric key
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Feb 4, 2009
+ */
+public class EncryptionKeyUtil {
+
+    /**
+     * Generate a secret key useful for encryption/decryption
+     *
+     * @param encAlgo
+     * @param keySize Length of the key (if 0, defaults to 128 bits)
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     */
+    public static SecretKey getSecretKey(String encAlgo, int keySize) throws GeneralSecurityException {
+        KeyGenerator keyGenerator = KeyGenerator.getInstance(encAlgo);
+        if (keySize == 0)
+            keySize = 128;
+        keyGenerator.init(keySize);
+        return keyGenerator.generateKey();
+    }
+
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolver.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolver.java
new file mode 100755
index 0000000000..99b5a3c7a9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/IDFedLSInputResolver.java
@@ -0,0 +1,224 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.util.StringUtil;
+import org.w3c.dom.ls.LSInput;
+import org.w3c.dom.ls.LSResourceResolver;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.Reader;
+import java.net.URL;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.LinkedHashMap;
+import java.util.Map;
+
+/**
+ * An LSResource Resolver for schema validation
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 9, 2009
+ */
+public class IDFedLSInputResolver implements LSResourceResolver {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    private static Map<String, LSInput> lsmap = new HashMap<String, LSInput>();
+
+    private static Map<String, String> schemaLocationMap = new LinkedHashMap<String, String>();
+
+    static {
+        // XML Schema/DTD
+        schemaLocationMap.put("datatypes.dtd", "schema/w3c/xmlschema/datatypes.dtd");
+        schemaLocationMap.put("XMLSchema.dtd", "schema/w3c/xmlschema/XMLSchema.dtd");
+        schemaLocationMap.put("http://www.w3.org/2001/xml.xsd", "schema/w3c/xmlschema/xml.xsd");
+
+        // XML DSIG
+        schemaLocationMap.put("http://www.w3.org/2000/09/xmldsig#", "schema/w3c/xmldsig/xmldsig-core-schema.xsd");
+        schemaLocationMap.put("http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd",
+                "schema/w3c/xmldsig/xmldsig-core-schema.xsd");
+
+        // XML Enc
+        schemaLocationMap.put("http://www.w3.org/2001/04/xmlenc#", "schema/w3c/xmlenc/xenc-schema.xsd");
+        schemaLocationMap.put("http://www.w3.org/TR/2002/REC-xmlenc-core-20021210/xenc-schema.xsd",
+                "schema/w3c/xmlenc/xenc-schema.xsd");
+
+        // XACML
+        schemaLocationMap.put("access_control-xacml-2.0-context-schema-os.xsd",
+                "schema/access_control-xacml-2.0-context-schema-os.xsd");
+        schemaLocationMap.put("access_control-xacml-2.0-policy-schema-os.xsd",
+                "schema/access_control-xacml-2.0-policy-schema-os.xsd");
+
+        // SAML
+
+        schemaLocationMap.put("saml-schema-assertion-2.0.xsd", "schema/saml/v2/saml-schema-assertion-2.0.xsd");
+        schemaLocationMap.put("saml-schema-protocol-2.0.xsd", "schema/saml/v2/saml-schema-protocol-2.0.xsd");
+        schemaLocationMap.put("saml-schema-metadata-2.0.xsd", "schema/saml/v2/saml-schema-metadata-2.0.xsd");
+        schemaLocationMap.put("saml-schema-x500-2.0.xsd", "schema/saml/v2/saml-schema-x500-2.0.xsd");
+        schemaLocationMap.put("saml-schema-xacml-2.0.xsd", "schema/saml/v2/saml-schema-xacml-2.0.xsd");
+        schemaLocationMap.put("saml-schema-xacml-2.0.xsd", "schema/saml/v2/saml-schema-xacml-2.0.xsd");
+        schemaLocationMap.put("saml-schema-authn-context-2.0.xsd", "schema/saml/v2/saml-schema-authn-context-2.0.xsd");
+        schemaLocationMap.put("saml-schema-authn-context-types-2.0.xsd",
+                "schema/saml/v2/saml-schema-authn-context-types-2.0.xsd");
+
+        schemaLocationMap.put("saml-schema-assertion-1.0.xsd", "schema/saml/v1/saml-schema-assertion-1.0.xsd");
+        schemaLocationMap.put("oasis-sstc-saml-schema-assertion-1.1.xsd",
+                "schema/saml/v1/oasis-sstc-saml-schema-assertion-1.1.xsd");
+        schemaLocationMap.put("saml-schema-protocol-1.1.xsd", "schema/saml/v1/saml-schema-protocol-1.1.xsd");
+
+        schemaLocationMap.put("access_control-xacml-2.0-saml-assertion-schema-os.xsd",
+                "schema/saml/v2/access_control-xacml-2.0-saml-assertion-schema-os.xsd");
+
+        schemaLocationMap.put("access_control-xacml-2.0-saml-protocol-schema-os.xsd",
+                "schema/saml/v2/access_control-xacml-2.0-saml-protocol-schema-os.xsd");
+
+        // WS-T
+        schemaLocationMap.put("http://docs.oasis-open.org/ws-sx/ws-trust/200512", "schema/wstrust/v1_3/ws-trust-1.3.xsd");
+        schemaLocationMap.put("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd",
+                "schema/wstrust/v1_3/oasis-200401-wss-wssecurity-secext-1.0.xsd");
+        schemaLocationMap.put("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd",
+                "schema/wstrust/v1_3/oasis-200401-wss-wssecurity-utility-1.0.xsd");
+        schemaLocationMap.put("http://schemas.xmlsoap.org/ws/2004/09/policy", "schema/wstrust/v1_3/ws-policy.xsd");
+        schemaLocationMap.put("http://www.w3.org/2005/08/addressing", "schema/wstrust/v1_3/ws-addr.xsd");
+    }
+
+    public static Collection<String> schemas() {
+        Collection<String> schemaValues = schemaLocationMap.values();
+        schemaValues.remove("schema/w3c/xmlschema/datatypes.dtd");
+        schemaValues.remove("schema/w3c/xmlschema/XMLSchema.dtd");
+        logger.info("Considered the schemas:" + schemaValues);
+        return schemaValues;
+    }
+
+    public LSInput resolveResource(String type, String namespaceURI, final String publicId, final String systemId,
+                                   final String baseURI) {
+        LSInput lsi = null;
+        if (systemId == null)
+            throw logger.nullValueError("systemid");
+        if (StringUtil.isNotNull(systemId) && systemId.endsWith("dtd") && StringUtil.isNotNull(baseURI)) {
+            lsi = lsmap.get(baseURI);
+        }
+        if (lsi == null)
+            lsi = lsmap.get(systemId);
+        if (lsi == null) {
+            final String loc = schemaLocationMap.get(systemId);
+            if (loc == null)
+                return null;
+
+            lsi = new PicketLinkLSInput(baseURI, loc, publicId, systemId);
+
+            logger.trace("Loaded:" + lsi);
+
+            lsmap.put(systemId, lsi);
+        }
+        return lsi;
+    }
+
+    public static class PicketLinkLSInput implements LSInput {
+
+        private final String baseURI;
+
+        private final String loc;
+
+        private final String publicId;
+
+        private final String systemId;
+
+        public PicketLinkLSInput(String baseURI, String loc, String publicID, String systemID) {
+            this.baseURI = baseURI;
+            this.loc = loc;
+            this.publicId = publicID;
+            this.systemId = systemID;
+        }
+
+        public String getBaseURI() {
+            return baseURI;
+        }
+
+        public InputStream getByteStream() {
+            URL url = SecurityActions.loadResource(getClass(), loc);
+            InputStream is;
+            try {
+                is = url.openStream();
+            } catch (IOException e) {
+                throw new RuntimeException(logger.classNotLoadedError(loc));
+            }
+            if (is == null)
+                throw logger.nullValueError("inputstream is null for " + loc);
+            return is;
+        }
+
+        public boolean getCertifiedText() {
+            return false;
+        }
+
+        public Reader getCharacterStream() {
+            return null;
+        }
+
+        public String getEncoding() {
+            return null;
+        }
+
+        public String getPublicId() {
+            return publicId;
+        }
+
+        public String getStringData() {
+            return null;
+        }
+
+        public String getSystemId() {
+            return systemId;
+        }
+
+        public void setBaseURI(String baseURI) {
+        }
+
+        public void setByteStream(InputStream byteStream) {
+        }
+
+        public void setCertifiedText(boolean certifiedText) {
+        }
+
+        public void setCharacterStream(Reader characterStream) {
+        }
+
+        public void setEncoding(String encoding) {
+        }
+
+        public void setPublicId(String publicId) {
+        }
+
+        public void setStringData(String stringData) {
+        }
+
+        public void setSystemId(String systemId) {
+        }
+
+        @Override
+        public String toString() {
+            return "PicketLinkLSInput [baseURI=" + baseURI + ", loc=" + loc + ", publicId=" + publicId + ", systemId="
+                    + systemId + "]";
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/JAXBUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/JAXBUtil.java
new file mode 100755
index 0000000000..2c3ad47e5a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/JAXBUtil.java
@@ -0,0 +1,280 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.xml.sax.ErrorHandler;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
+
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Marshaller;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.transform.Source;
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+import java.io.IOException;
+import java.net.URL;
+import java.util.HashMap;
+
+/**
+ * Utility to obtain JAXB2 marshaller/unmarshaller etc
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since May 26, 2009
+ */
+public class JAXBUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    public static final String W3C_XML_SCHEMA_NS_URI = "http://www.w3.org/2001/XMLSchema";
+
+    private static HashMap<String, JAXBContext> jaxbContextHash = new HashMap<String, JAXBContext>();
+
+    static {
+        // Useful on Sun VMs. Harmless on other VMs.
+        SecurityActions.setSystemProperty("com.sun.xml.bind.v2.runtime.JAXBContextImpl.fastBoot", "true");
+    }
+
+    /**
+     * Get the JAXB Marshaller
+     *
+     * @param pkgName The package name for the jaxb context
+     * @param schemaLocation location of the schema to validate against
+     *
+     * @return Marshaller
+     *
+     * @throws JAXBException
+     * @throws SAXException
+     */
+    public static Marshaller getValidatingMarshaller(String pkgName, String schemaLocation) throws JAXBException, SAXException {
+        Marshaller marshaller = getMarshaller(pkgName);
+
+        // Validate against schema
+        Schema schema = getJAXPSchemaInstance(schemaLocation);
+        marshaller.setSchema(schema);
+
+        return marshaller;
+    }
+
+    /**
+     * Get the JAXB Marshaller
+     *
+     * @param pkgName The package name for the jaxb context
+     *
+     * @return Marshaller
+     *
+     * @throws JAXBException
+     */
+    public static Marshaller getMarshaller(String pkgName) throws JAXBException {
+        if (pkgName == null)
+            throw logger.nullArgumentError("pkgName");
+
+        JAXBContext jc = getJAXBContext(pkgName);
+        Marshaller marshaller = jc.createMarshaller();
+        marshaller.setProperty(Marshaller.JAXB_ENCODING, "UTF-8");
+        marshaller.setProperty(Marshaller.JAXB_FORMATTED_OUTPUT, Boolean.FALSE); // Breaks signatures
+        return marshaller;
+    }
+
+    /**
+     * Get the JAXB Unmarshaller
+     *
+     * @param pkgName The package name for the jaxb context
+     *
+     * @return unmarshaller
+     *
+     * @throws JAXBException
+     */
+    public static Unmarshaller getUnmarshaller(String pkgName) throws JAXBException {
+        if (pkgName == null)
+            throw logger.nullArgumentError("pkgName");
+        JAXBContext jc = getJAXBContext(pkgName);
+        return jc.createUnmarshaller();
+    }
+
+    /**
+     * Get the JAXB Unmarshaller for a selected set of package names
+     *
+     * @param pkgNames
+     *
+     * @return
+     *
+     * @throws JAXBException
+     */
+    public static Unmarshaller getUnmarshaller(String... pkgNames) throws JAXBException {
+        if (pkgNames == null)
+            throw logger.nullArgumentError("pkgName");
+        int len = pkgNames.length;
+        if (len == 0)
+            return getUnmarshaller(pkgNames[0]);
+
+        JAXBContext jc = getJAXBContext(pkgNames);
+        return jc.createUnmarshaller();
+    }
+
+    /**
+     * Get the JAXB Unmarshaller
+     *
+     * @param pkgName The package name for the jaxb context
+     * @param schemaLocation location of the schema to validate against
+     *
+     * @return unmarshaller
+     *
+     * @throws JAXBException
+     * @throws SAXException
+     */
+    public static Unmarshaller getValidatingUnmarshaller(String pkgName, String schemaLocation) throws JAXBException,
+            SAXException {
+        Unmarshaller unmarshaller = getUnmarshaller(pkgName);
+        Schema schema = getJAXPSchemaInstance(schemaLocation);
+        unmarshaller.setSchema(schema);
+
+        return unmarshaller;
+    }
+
+    public static Unmarshaller getValidatingUnmarshaller(String[] pkgNames, String[] schemaLocations) throws JAXBException,
+            SAXException, IOException {
+        StringBuilder builder = new StringBuilder();
+        int len = pkgNames.length;
+        if (len == 0)
+            throw logger.nullValueError("Packages are empty");
+
+        for (String pkg : pkgNames) {
+            builder.append(pkg);
+            builder.append(":");
+        }
+
+        Unmarshaller unmarshaller = getUnmarshaller(builder.toString());
+
+        SchemaFactory schemaFactory = getSchemaFactory();
+
+        // Get the sources
+        Source[] schemaSources = new Source[schemaLocations.length];
+
+        int i = 0;
+        for (String schemaLocation : schemaLocations) {
+            URL schemaURL = SecurityActions.loadResource(JAXBUtil.class, schemaLocation);
+            if (schemaURL == null)
+                throw logger.nullValueError("Schema URL :" + schemaLocation);
+
+            schemaSources[i++] = new StreamSource(schemaURL.openStream());
+        }
+
+        Schema schema = schemaFactory.newSchema(schemaSources);
+        unmarshaller.setSchema(schema);
+
+        return unmarshaller;
+    }
+
+    private static Schema getJAXPSchemaInstance(String schemaLocation) throws SAXException {
+        URL schemaURL = SecurityActions.loadResource(JAXBUtil.class, schemaLocation);
+        if (schemaURL == null)
+            throw logger.nullValueError("Schema URL :" + schemaLocation);
+        SchemaFactory scFact = getSchemaFactory();
+        Schema schema = scFact.newSchema(schemaURL);
+        return schema;
+    }
+
+    private static SchemaFactory getSchemaFactory() {
+        SchemaFactory scFact = SchemaFactory.newInstance(W3C_XML_SCHEMA_NS_URI);
+
+        // Always install the resolver unless the system property is set
+        if (SecurityActions.getSystemProperty("org.picketlink.identity.federation.jaxb.ls", null) == null)
+            scFact.setResourceResolver(new IDFedLSInputResolver());
+
+        scFact.setErrorHandler(new ErrorHandler() {
+            public void error(SAXParseException exception) throws SAXException {
+                StringBuilder builder = new StringBuilder();
+                builder.append("Line Number=").append(exception.getLineNumber());
+                builder.append(" Col Number=").append(exception.getColumnNumber());
+                builder.append(" Public ID=").append(exception.getPublicId());
+                builder.append(" System ID=").append(exception.getSystemId());
+                builder.append(" exc=").append(exception.getLocalizedMessage());
+
+                logger.trace("SAX Error:" + builder.toString());
+            }
+
+            public void fatalError(SAXParseException exception) throws SAXException {
+                StringBuilder builder = new StringBuilder();
+                builder.append("Line Number=").append(exception.getLineNumber());
+                builder.append(" Col Number=").append(exception.getColumnNumber());
+                builder.append(" Public ID=").append(exception.getPublicId());
+                builder.append(" System ID=").append(exception.getSystemId());
+                builder.append(" exc=").append(exception.getLocalizedMessage());
+
+                logger.error("SAX Fatal Error:" + builder.toString());
+            }
+
+            public void warning(SAXParseException exception) throws SAXException {
+                StringBuilder builder = new StringBuilder();
+                builder.append("Line Number=").append(exception.getLineNumber());
+                builder.append(" Col Number=").append(exception.getColumnNumber());
+                builder.append(" Public ID=").append(exception.getPublicId());
+                builder.append(" System ID=").append(exception.getSystemId());
+                builder.append(" exc=").append(exception.getLocalizedMessage());
+
+                logger.trace("SAX Warn:" + builder.toString());
+            }
+        });
+        return scFact;
+    }
+
+    public static JAXBContext getJAXBContext(String path) throws JAXBException {
+        JAXBContext jx = jaxbContextHash.get(path);
+        if (jx == null) {
+            jx = JAXBContext.newInstance(path);
+            jaxbContextHash.put(path, jx);
+        }
+        return jx;
+    }
+
+    public static JAXBContext getJAXBContext(String... paths) throws JAXBException {
+        int len = paths.length;
+        if (len == 0)
+            return getJAXBContext(paths[0]);
+
+        StringBuilder builder = new StringBuilder();
+        for (String path : paths) {
+            builder.append(path).append(":");
+        }
+
+        String finalPath = builder.toString();
+
+        JAXBContext jx = jaxbContextHash.get(finalPath);
+        if (jx == null) {
+            jx = JAXBContext.newInstance(finalPath);
+            jaxbContextHash.put(finalPath, jx);
+        }
+        return jx;
+    }
+
+    public static JAXBContext getJAXBContext(Class<?> clazz) throws JAXBException {
+        String clazzName = clazz.getName();
+
+        JAXBContext jx = jaxbContextHash.get(clazzName);
+        if (jx == null) {
+            jx = JAXBContext.newInstance(clazz);
+            jaxbContextHash.put(clazzName, jx);
+        }
+        return jx;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/JAXPValidationUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/JAXPValidationUtil.java
new file mode 100755
index 0000000000..836b3fcb06
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/JAXPValidationUtil.java
@@ -0,0 +1,168 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.common.util.SystemPropertiesUtil;
+import org.w3c.dom.Node;
+import org.xml.sax.ErrorHandler;
+import org.xml.sax.SAXException;
+import org.xml.sax.SAXParseException;
+
+import javax.xml.transform.Source;
+import javax.xml.transform.stream.StreamSource;
+import javax.xml.validation.Schema;
+import javax.xml.validation.SchemaFactory;
+import javax.xml.validation.Validator;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.util.List;
+
+/**
+ * Utility class associated with JAXP Validation
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 30, 2011
+ */
+public class JAXPValidationUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    protected static Validator validator;
+
+    protected static SchemaFactory schemaFactory;
+
+    public static void validate(String str) throws SAXException, IOException {
+        validator().validate(new StreamSource(str));
+    }
+
+    public static void validate(InputStream stream) throws SAXException, IOException {
+        validator().validate(new StreamSource(stream));
+    }
+
+    /**
+     * Based on system property "picketlink.schema.validate" set to "true", do schema validation
+     *
+     * @param samlDocument
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public static void checkSchemaValidation(Node samlDocument) throws ProcessingException {
+        if (SecurityActions.getSystemProperty("picketlink.schema.validate", "false").equalsIgnoreCase("true")) {
+            try {
+                JAXPValidationUtil.validate(DocumentUtil.getNodeAsStream(samlDocument));
+            } catch (Exception e) {
+                throw logger.processingError(e);
+            }
+        }
+    }
+
+    public static Validator validator() throws SAXException, IOException {
+        SystemPropertiesUtil.ensure();
+
+        if (validator == null) {
+            Schema schema = getSchema();
+            if (schema == null)
+                throw logger.nullValueError("schema");
+
+            validator = schema.newValidator();
+            validator.setErrorHandler(new CustomErrorHandler());
+        }
+        return validator;
+    }
+
+    private static Schema getSchema() throws IOException {
+        boolean tccl_jaxp = SystemPropertiesUtil.getSystemProperty(GeneralConstants.TCCL_JAXP, "false").equalsIgnoreCase("true");
+
+        ClassLoader prevTCCL = SecurityActions.getTCCL();
+        try {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(JAXPValidationUtil.class.getClassLoader());
+            }
+            schemaFactory = SchemaFactory.newInstance("http://www.w3.org/2001/XMLSchema");
+
+            schemaFactory.setResourceResolver(new IDFedLSInputResolver());
+            schemaFactory.setErrorHandler(new CustomErrorHandler());
+        } finally {
+            if (tccl_jaxp) {
+                SecurityActions.setTCCL(prevTCCL);
+            }
+        }
+        Schema schemaGrammar = null;
+        try {
+            schemaGrammar = schemaFactory.newSchema(sources());
+        } catch (SAXException e) {
+            logger.xmlCouldNotGetSchema(e);
+        }
+        return schemaGrammar;
+    }
+
+    private static Source[] sources() throws IOException {
+        List<String> schemas = SchemaManagerUtil.getSchemas();
+
+        Source[] sourceArr = new Source[schemas.size()];
+
+        int i = 0;
+        for (String schema : schemas) {
+            URL url = SecurityActions.loadResource(JAXPValidationUtil.class, schema);
+            if (url == null)
+                throw logger.nullValueError("schema url:" + schema);
+            sourceArr[i++] = new StreamSource(url.openStream());
+        }
+        return sourceArr;
+    }
+
+    private static class CustomErrorHandler implements ErrorHandler {
+
+        public void error(SAXParseException ex) throws SAXException {
+            logException(ex);
+            if (ex.getMessage().contains("null") == false) {
+                throw ex;
+            }
+        }
+
+        public void fatalError(SAXParseException ex) throws SAXException {
+            logException(ex);
+            throw ex;
+        }
+
+        public void warning(SAXParseException ex) throws SAXException {
+            logException(ex);
+        }
+
+        private void logException(SAXParseException sax) {
+            StringBuilder builder = new StringBuilder();
+
+            if (logger.isTraceEnabled()) {
+                builder.append("[line:").append(sax.getLineNumber()).append(",").append("::col=").append(sax.getColumnNumber())
+                        .append("]");
+                builder.append("[publicID:").append(sax.getPublicId()).append(",systemId=").append(sax.getSystemId())
+                        .append("]");
+                builder.append(":").append(sax.getLocalizedMessage());
+                logger.trace(builder.toString());
+            }
+        }
+    }
+
+    ;
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/KeyStoreUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/KeyStoreUtil.java
new file mode 100755
index 0000000000..5daf8e6986
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/KeyStoreUtil.java
@@ -0,0 +1,201 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URL;
+import java.security.GeneralSecurityException;
+import java.security.Key;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.KeyStore;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.Certificate;
+
+/**
+ * Utility to handle Java Keystore
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 12, 2009
+ */
+public class KeyStoreUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Get the KeyStore
+     *
+     * @param keyStoreFile
+     * @param storePass
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     * @throws IOException
+     */
+    public static KeyStore getKeyStore(File keyStoreFile, char[] storePass) throws GeneralSecurityException, IOException {
+        FileInputStream fis = new FileInputStream(keyStoreFile);
+        return getKeyStore(fis, storePass);
+    }
+
+    /**
+     * Get the Keystore given the url to the keystore file as a string
+     *
+     * @param fileURL
+     * @param storePass
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     * @throws IOException
+     */
+    public static KeyStore getKeyStore(String fileURL, char[] storePass) throws GeneralSecurityException, IOException {
+        if (fileURL == null)
+            throw logger.nullArgumentError("fileURL");
+
+        File file = new File(fileURL);
+        FileInputStream fis = new FileInputStream(file);
+        return getKeyStore(fis, storePass);
+    }
+
+    /**
+     * Get the Keystore given the URL to the keystore
+     *
+     * @param url
+     * @param storePass
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     * @throws IOException
+     */
+    public static KeyStore getKeyStore(URL url, char[] storePass) throws GeneralSecurityException, IOException {
+        if (url == null)
+            throw logger.nullArgumentError("url");
+
+        return getKeyStore(url.openStream(), storePass);
+    }
+
+    /**
+     * Get the Key Store <b>Note:</b> This method wants the InputStream to be not null.
+     *
+     * @param ksStream
+     * @param storePass
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     * @throws IOException
+     * @throws IllegalArgumentException if ksStream is null
+     */
+    public static KeyStore getKeyStore(InputStream ksStream, char[] storePass) throws GeneralSecurityException, IOException {
+        if (ksStream == null)
+            throw logger.nullArgumentError("InputStream for the KeyStore");
+        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+        ks.load(ksStream, storePass);
+        return ks;
+    }
+
+    /**
+     * Generate a Key Pair
+     *
+     * @param algo (RSA, DSA etc)
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     */
+    public static KeyPair generateKeyPair(String algo) throws GeneralSecurityException {
+        KeyPairGenerator kpg = KeyPairGenerator.getInstance(algo);
+        return kpg.genKeyPair();
+    }
+
+    /**
+     * Get the Public Key from the keystore
+     *
+     * @param ks
+     * @param alias
+     * @param password
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     */
+    public static PublicKey getPublicKey(KeyStore ks, String alias, char[] password) throws GeneralSecurityException {
+        PublicKey publicKey = null;
+
+        // Get private key
+        Key key = ks.getKey(alias, password);
+        if (key instanceof PrivateKey) {
+            // Get certificate of public key
+            Certificate cert = ks.getCertificate(alias);
+
+            // Get public key
+            publicKey = cert.getPublicKey();
+        }
+        // if alias is a certificate alias, get the public key from the certificate.
+        if (publicKey == null) {
+            Certificate cert = ks.getCertificate(alias);
+            if (cert != null)
+                publicKey = cert.getPublicKey();
+        }
+        return publicKey;
+    }
+
+    /**
+     * Add a certificate to the KeyStore
+     *
+     * @param keystoreFile
+     * @param storePass
+     * @param alias
+     * @param cert
+     *
+     * @throws GeneralSecurityException
+     * @throws IOException
+     */
+    public static void addCertificate(File keystoreFile, char[] storePass, String alias, Certificate cert)
+            throws GeneralSecurityException, IOException {
+        KeyStore keystore = getKeyStore(keystoreFile, storePass);
+
+        // Add the certificate
+        keystore.setCertificateEntry(alias, cert);
+
+        // Save the new keystore contents
+        FileOutputStream out = null;
+        try {
+            out = new FileOutputStream(keystoreFile);
+            keystore.store(out, storePass);
+        } finally {
+            if (out != null) {
+                try {
+                    out.close();
+                } catch (IOException ioe) {
+                    // Ignore
+                }
+            }
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/NamespaceContext.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/NamespaceContext.java
new file mode 100755
index 0000000000..4928e644c2
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/NamespaceContext.java
@@ -0,0 +1,96 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.keycloak.saml.processing.core.util;
+
+import java.util.HashMap;
+import java.util.Iterator;
+import java.util.Map;
+
+/**
+ * Helper class in process of parsing signature out of SAML token.
+ * usage example:
+ * <code>
+ * xpath.setNamespaceContext(
+ * NamespaceContext.create()
+ * .addNsUriPair(xmlSignatureNSPrefix, JBossSAMLURIConstants.XMLDSIG_NSURI.get())
+ * );
+ * </code>
+ *
+ * @author Peter Skopek: pskopek at redhat dot com
+ */
+
+public class NamespaceContext implements javax.xml.namespace.NamespaceContext {
+
+    private Map<String, String> nsMap = new HashMap<String, String>();
+
+    public NamespaceContext() {
+    }
+
+    public NamespaceContext(String prefix, String uri) {
+        nsMap.put(prefix, uri);
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see
+     * javax.xml.namespace.NamespaceContext#getNamespaceURI(java.lang.String)
+     */
+    public String getNamespaceURI(String prefix) {
+        return nsMap.get(prefix);
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see javax.xml.namespace.NamespaceContext#getPrefix(java.lang.String)
+     */
+    public String getPrefix(String namespaceURI) {
+        for (String key : nsMap.keySet()) {
+            String value = nsMap.get(key);
+            if (value.equals(namespaceURI)) {
+                return key;
+            }
+        }
+        return null;
+    }
+
+    /*
+     * (non-Javadoc)
+     *
+     * @see javax.xml.namespace.NamespaceContext#getPrefixes(java.lang.String)
+     */
+    public Iterator<String> getPrefixes(String namespaceURI) {
+        return nsMap.keySet().iterator();
+    }
+
+    public NamespaceContext addNsUriPair(String ns, String uri) {
+        nsMap.put(ns, uri);
+        return this;
+    }
+
+    /**
+     * Create new NamespaceContext for use.
+     *
+     * @return
+     */
+    public static NamespaceContext create() {
+        return new NamespaceContext();
+    }
+}
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/ProvidersUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/ProvidersUtil.java
new file mode 100755
index 0000000000..cf6ec6faa5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/ProvidersUtil.java
@@ -0,0 +1,127 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.Provider;
+import java.security.Security;
+
+/**
+ * Utility dealing with the Santuario (XMLSec) providers registration for PicketLink
+ *
+ * @author alessio.soldano@jboss.com
+ * @since 07-May-2012
+ */
+public class ProvidersUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * No-op call such that the default system properties are set
+     */
+    public static synchronized void ensure() {
+        AccessController.doPrivileged(new PrivilegedAction<Boolean>() {
+            public Boolean run() {
+                // register Apache Santuario 1.5.x XMLDSig version
+                addXMLDSigRI();
+                // register BC provider if available (to have additional encryption algorithms, etc.)
+                addJceProvider("BC", "org.bouncycastle.jce.provider.BouncyCastleProvider");
+                return true;
+            }
+        });
+    }
+
+    private static void addXMLDSigRI() {
+        try {
+            Class<?> clazz = SecurityActions
+                    .loadClass(XMLSignatureUtil.class, "org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI");
+            if (clazz == null)
+                throw logger.classNotLoadedError("org.apache.jcp.xml.dsig.internal.dom.XMLDSigRI");
+            addJceProvider("ApacheXMLDSig", (Provider) clazz.newInstance());
+        } catch (Throwable t) {
+            // ignore - may be a NoClassDefFound if XMLDSigRI isn't avail
+            return;
+        }
+    }
+
+    /**
+     * Add a new JCE security provider to use for PicketLink.
+     *
+     * @param name The name string of the provider (this may not be the real name of the provider)
+     * @param provider A subclass of <code>java.security.Provider</code>
+     *
+     * @return Returns the actual name of the provider that was loaded
+     */
+    private static String addJceProvider(String name, Provider provider) {
+        Provider currentProvider = Security.getProvider(name);
+        if (currentProvider == null) {
+            try {
+                //
+                // Install the provider after the SUN provider (see WSS-99)
+                // Otherwise fall back to the old behaviour of inserting
+                // the provider in position 2. For AIX, install it after
+                // the IBMJCE provider.
+                //
+                int ret = 0;
+                Provider[] provs = Security.getProviders();
+                for (int i = 0; i < provs.length; i++) {
+                    if ("SUN".equals(provs[i].getName()) || "IBMJCE".equals(provs[i].getName())) {
+                        ret = Security.insertProviderAt(provider, i + 2);
+                        break;
+                    }
+                }
+                if (ret == 0) {
+                    ret = Security.insertProviderAt(provider, 2);
+                }
+                if (logger.isDebugEnabled()) {
+                    logger.debug("The provider " + provider.getName() + " - " + provider.getVersion() + " was added at position: "
+                            + ret);
+                }
+                return provider.getName();
+            } catch (Throwable t) {
+                if (logger.isDebugEnabled()) {
+                    logger.jceProviderCouldNotBeLoaded(name, t);
+                }
+                return null;
+            }
+        }
+        return currentProvider.getName();
+    }
+
+    private static String addJceProvider(String name, String className) {
+        Provider currentProvider = Security.getProvider(name);
+        if (currentProvider == null) {
+            try {
+                // Class<? extends Provider> clazz = Loader.loadClass(className, false, Provider.class);
+                Class<? extends Provider> clazz = Class.forName(className).asSubclass(Provider.class);
+                Provider provider = clazz.newInstance();
+                return addJceProvider(name, provider);
+            } catch (Throwable t) {
+                if (logger.isDebugEnabled()) {
+                    logger.jceProviderCouldNotBeLoaded(name, t);
+                }
+                return null;
+            }
+        }
+        return currentProvider.getName();
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SchemaManagerUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SchemaManagerUtil.java
new file mode 100755
index 0000000000..758133d961
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SchemaManagerUtil.java
@@ -0,0 +1,106 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Manages the schemas for PicketLink
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jun 30, 2011
+ */
+public class SchemaManagerUtil {
+
+    public static List<String> getXMLSchemas() {
+        List<String> list = new ArrayList<String>();
+
+        list.add("schema/w3c/xmlschema/xml.xsd");
+        return list;
+    }
+
+    public static List<String> getXMLDSig() {
+        List<String> list = new ArrayList<String>();
+
+        list.add("schema/w3c/xmldsig/xmldsig-core-schema.xsd");
+        return list;
+    }
+
+    public static List<String> getXMLEnc() {
+        List<String> list = new ArrayList<String>();
+
+        list.add("schema/w3c/xmlenc/xenc-schema.xsd");
+        return list;
+    }
+
+    public static List<String> getXACMLSchemas() {
+        List<String> list = new ArrayList<String>();
+
+        list.add("schema/access_control-xacml-2.0-policy-schema-os.xsd");
+        list.add("schema/access_control-xacml-2.0-context-schema-os.xsd");
+        return list;
+    }
+
+    public static List<String> getSAML2Schemas() {
+        List<String> list = new ArrayList<String>();
+
+        list.add("schema/saml/v2/saml-schema-assertion-2.0.xsd");
+        list.add("schema/saml/v2/saml-schema-protocol-2.0.xsd");
+        list.add("schema/saml/v2/saml-schema-metadata-2.0.xsd");
+        list.add("schema/saml/v2/saml-schema-x500-2.0.xsd");
+        list.add("schema/saml/v2/saml-schema-authn-context-2.0.xsd");
+        list.add("schema/saml/v2/saml-schema-authn-context-types-2.0.xsd");
+        list.add("schema/saml/v2/saml-schema-xacml-2.0.xsd");
+        list.add("schema/saml/v2/access_control-xacml-2.0-saml-assertion-schema-os.xsd");
+        list.add("schema/saml/v2/access_control-xacml-2.0-saml-protocol-schema-os.xsd");
+        return list;
+    }
+
+    public static List<String> getSAML11Schemas() {
+        List<String> list = new ArrayList<String>();
+
+        list.add("schema/saml/v1/saml-schema-assertion-1.0.xsd");
+        list.add("schema/saml/v1/oasis-sstc-saml-schema-assertion-1.1.xsd");
+        list.add("schema/saml/v1/saml-schema-protocol-1.1.xsd");
+        return list;
+    }
+
+    public static List<String> getWSTrustSchemas() {
+        List<String> list = new ArrayList<String>();
+
+        list.add("schema/wstrust/v1_3/ws-trust-1.3.xsd");
+        list.add("schema/wstrust/v1_3/oasis-200401-wss-wssecurity-secext-1.0.xsd");
+        list.add("schema/wstrust/v1_3/oasis-200401-wss-wssecurity-utility-1.0.xsd");
+        list.add("schema/wstrust/v1_3/ws-policy.xsd");
+        list.add("schema/wstrust/v1_3/ws-addr.xsd");
+        return list;
+    }
+
+    public static List<String> getSchemas() {
+        List<String> list = new ArrayList<String>();
+        list.addAll(getXMLSchemas());
+        list.addAll(getXMLDSig());
+        list.addAll(getXMLEnc());
+        list.addAll(getSAML2Schemas());
+        list.addAll(getSAML11Schemas());
+        list.addAll(getXACMLSchemas());
+        list.addAll(getWSTrustSchemas());
+        return list;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SecurityActions.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SecurityActions.java
new file mode 100755
index 0000000000..d7c5382006
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SecurityActions.java
@@ -0,0 +1,225 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import java.net.URL;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Privileged Blocks
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 9, 2008
+ */
+class SecurityActions {
+
+    /**
+     * <p>
+     * Loads a {@link Class} using the <code>fullQualifiedName</code> supplied. This method tries first to load from
+     * the
+     * specified {@link Class}, if not found it will try to load from using TCL.
+     * </p>
+     *
+     * @param theClass
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final Class<?> theClass, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    ClassLoader classLoader = theClass.getClassLoader();
+
+                    Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+                    if (clazz == null) {
+                        classLoader = Thread.currentThread().getContextClassLoader();
+                        clazz = loadClass(classLoader, fullQualifiedName);
+                    }
+                    return clazz;
+                }
+            });
+        } else {
+            ClassLoader classLoader = theClass.getClassLoader();
+
+            Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+            if (clazz == null) {
+                classLoader = Thread.currentThread().getContextClassLoader();
+                clazz = loadClass(classLoader, fullQualifiedName);
+            }
+            return clazz;
+        }
+    }
+
+    /**
+     * <p>
+     * Loads a class from the specified {@link ClassLoader} using the <code>fullQualifiedName</code> supplied.
+     * </p>
+     *
+     * @param classLoader
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final ClassLoader classLoader, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    try {
+                        return classLoader.loadClass(fullQualifiedName);
+                    } catch (ClassNotFoundException e) {
+                    }
+                    return null;
+                }
+            });
+        } else {
+            try {
+                return classLoader.loadClass(fullQualifiedName);
+            } catch (ClassNotFoundException e) {
+            }
+            return null;
+        }
+    }
+
+    /**
+     * Load a resource based on the passed {@link Class} classloader. Failing which try with the Thread Context CL
+     *
+     * @param clazz
+     * @param resourceName
+     *
+     * @return
+     */
+    static URL loadResource(final Class<?> clazz, final String resourceName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<URL>() {
+                public URL run() {
+                    URL url = null;
+                    ClassLoader clazzLoader = clazz.getClassLoader();
+                    url = clazzLoader.getResource(resourceName);
+
+                    if (url == null) {
+                        clazzLoader = Thread.currentThread().getContextClassLoader();
+                        url = clazzLoader.getResource(resourceName);
+                    }
+
+                    return url;
+                }
+            });
+        } else {
+            URL url = null;
+            ClassLoader clazzLoader = clazz.getClassLoader();
+            url = clazzLoader.getResource(resourceName);
+
+            if (url == null) {
+                clazzLoader = Thread.currentThread().getContextClassLoader();
+                url = clazzLoader.getResource(resourceName);
+            }
+
+            return url;
+        }
+    }
+
+    /**
+     * Set the system property
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static void setSystemProperty(final String key, final String value) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            AccessController.doPrivileged(new PrivilegedAction<Object>() {
+                public Object run() {
+                    System.setProperty(key, value);
+                    return null;
+                }
+            });
+        } else {
+            System.setProperty(key, value);
+        }
+    }
+
+    /**
+     * <p>Returns a system property value using the specified <code>key</code>. If not found the
+     * <code>defaultValue</code> will be returned.</p>
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static String getSystemProperty(final String key, final String defaultValue) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<String>() {
+                public String run() {
+                    return System.getProperty(key, defaultValue);
+                }
+            });
+        } else {
+            return System.getProperty(key, defaultValue);
+        }
+    }
+
+    /**
+     * Get the Thread Context ClassLoader
+     *
+     * @return
+     */
+    static ClassLoader getTCCL() {
+        if (System.getSecurityManager() != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<ClassLoader>() {
+                public ClassLoader run() {
+                    return Thread.currentThread().getContextClassLoader();
+                }
+            });
+        } else {
+            return Thread.currentThread().getContextClassLoader();
+        }
+    }
+
+    /**
+     * Set the Thread Context ClassLoader
+     *
+     * @param paramCl
+     */
+    static void setTCCL(final ClassLoader paramCl) {
+        if (System.getSecurityManager() != null) {
+            AccessController.doPrivileged(new PrivilegedAction<Void>() {
+                public Void run() {
+                    Thread.currentThread().setContextClassLoader(paramCl);
+                    return null;
+                }
+            });
+        } else {
+
+            Thread.currentThread().setContextClassLoader(paramCl);
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SignatureUtilTransferObject.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SignatureUtilTransferObject.java
new file mode 100755
index 0000000000..96e3f6934a
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/SignatureUtilTransferObject.java
@@ -0,0 +1,115 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+
+import java.security.KeyPair;
+import java.security.cert.X509Certificate;
+
+/**
+ * A Transfer Object used by {@link XMLSignatureUtil}
+ *
+ * @author anil saldhana
+ */
+public class SignatureUtilTransferObject {
+
+    private X509Certificate x509Certificate;
+
+    private Document documentToBeSigned;
+    private KeyPair keyPair;
+
+    private Node nextSibling;
+
+    private String digestMethod;
+
+    private String referenceURI;
+
+    private String signatureMethod;
+
+    public Document getDocumentToBeSigned() {
+        return documentToBeSigned;
+    }
+
+    public void setDocumentToBeSigned(Document documentToBeSigned) {
+        this.documentToBeSigned = documentToBeSigned;
+    }
+
+    public KeyPair getKeyPair() {
+        return keyPair;
+    }
+
+    public void setKeyPair(KeyPair keyPair) {
+        this.keyPair = keyPair;
+    }
+
+    public Node getNextSibling() {
+        return nextSibling;
+    }
+
+    public void setNextSibling(Node nextSibling) {
+        this.nextSibling = nextSibling;
+    }
+
+    public String getDigestMethod() {
+        return digestMethod;
+    }
+
+    public void setDigestMethod(String digestMethod) {
+        this.digestMethod = digestMethod;
+    }
+
+    public String getReferenceURI() {
+        return referenceURI;
+    }
+
+    public void setReferenceURI(String referenceURI) {
+        this.referenceURI = referenceURI;
+    }
+
+    public String getSignatureMethod() {
+        return signatureMethod;
+    }
+
+    public void setSignatureMethod(String signatureMethod) {
+        this.signatureMethod = signatureMethod;
+    }
+
+    /**
+     * Get the {@link X509Certificate} used for signing
+     *
+     * @return
+     *
+     * @since 2.5.0
+     */
+    public X509Certificate getX509Certificate() {
+        return x509Certificate;
+    }
+
+    /**
+     * Set the {@link X509Certificate} used for signing
+     *
+     * @param x509Certificate
+     *
+     * @since 2.5.0
+     */
+    public void setX509Certificate(X509Certificate x509Certificate) {
+        this.x509Certificate = x509Certificate;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLEncryptionUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLEncryptionUtil.java
new file mode 100755
index 0000000000..e7a12ed5e5
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLEncryptionUtil.java
@@ -0,0 +1,561 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import org.apache.xml.security.encryption.EncryptedData;
+import org.apache.xml.security.encryption.EncryptedKey;
+import org.apache.xml.security.encryption.XMLCipher;
+import org.apache.xml.security.encryption.XMLEncryptionException;
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+
+import javax.crypto.SecretKey;
+import javax.xml.namespace.QName;
+import java.security.Key;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.util.HashMap;
+
+/**
+ * Utility for XML Encryption <b>Note: </b> This utility is currently using Apache XML Security library API. JSR-106 is
+ * not yet
+ * final. Until that happens,we rely on the non-standard API.
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since May 4, 2009
+ */
+public class XMLEncryptionUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    static {
+        // Initialize the Apache XML Security Library
+        org.apache.xml.security.Init.init();
+    }
+
+    public static final String CIPHER_DATA_LOCALNAME = "CipherData";
+
+    public static final String ENCRYPTED_KEY_LOCALNAME = "EncryptedKey";
+
+    public static final String DS_KEY_INFO = "ds:KeyInfo";
+
+    public static final String XMLNS = "http://www.w3.org/2000/xmlns/";
+
+    public static final String XMLSIG_NS = "http://www.w3.org/2000/09/xmldsig#";
+
+    public static final String XMLENC_NS = "http://www.w3.org/2001/04/xmlenc#";
+
+    private static HashMap<String, EncryptionAlgorithm> algorithms = new HashMap<String, EncryptionAlgorithm>(4);
+
+    private static class EncryptionAlgorithm {
+
+        EncryptionAlgorithm(String jceName, String xmlSecName, int size) {
+            this.jceName = jceName;
+            this.xmlSecName = xmlSecName;
+            this.size = size;
+        }
+
+        @SuppressWarnings("unused")
+        public String jceName;
+
+        public String xmlSecName;
+
+        public int size;
+    }
+
+    static {
+        algorithms.put("aes-128", new EncryptionAlgorithm("AES", XMLCipher.AES_128, 128));
+        algorithms.put("aes-192", new EncryptionAlgorithm("AES", XMLCipher.AES_192, 192));
+        algorithms.put("aes-256", new EncryptionAlgorithm("AES", XMLCipher.AES_256, 256));
+        algorithms.put("aes", new EncryptionAlgorithm("AES", XMLCipher.AES_256, 256));
+
+        algorithms.put("tripledes", new EncryptionAlgorithm("TripleDes", XMLCipher.TRIPLEDES, 168));
+    }
+
+    /**
+     * Given the JCE algorithm, get the XML Encryption URL
+     *
+     * @param certAlgo
+     *
+     * @return
+     */
+    public static String getEncryptionURL(String certAlgo) {
+        EncryptionAlgorithm ea = algorithms.get(certAlgo);
+        if (ea == null)
+            throw logger.encryptUnknownAlgoError(certAlgo);
+        return ea.xmlSecName;
+    }
+
+    /**
+     * Given the JCE algorithm, get the XML Encryption KeySize
+     *
+     * @param certAlgo
+     *
+     * @return
+     */
+    public static int getEncryptionKeySize(String certAlgo) {
+        EncryptionAlgorithm ea = algorithms.get(certAlgo);
+        if (ea == null)
+            throw logger.encryptUnknownAlgoError(certAlgo);
+        return ea.size;
+    }
+
+    /**
+     * <p>
+     * Encrypt the Key to be transported
+     * </p>
+     * <p>
+     * Data is encrypted with a SecretKey. Then the key needs to be transported to the other end where it is needed for
+     * decryption. For the Key transport, the SecretKey is encrypted with the recipient's public key. At the receiving
+     * end, the
+     * receiver can decrypt the Secret Key using his private key.s
+     * </p>
+     *
+     * @param document
+     * @param keyToBeEncrypted Symmetric Key (SecretKey)
+     * @param keyUsedToEncryptSecretKey Asymmetric Key (Public Key)
+     * @param keySize Length of the key
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public static EncryptedKey encryptKey(Document document, SecretKey keyToBeEncrypted, PublicKey keyUsedToEncryptSecretKey,
+                                          int keySize) throws ProcessingException {
+        XMLCipher keyCipher = null;
+        String pubKeyAlg = keyUsedToEncryptSecretKey.getAlgorithm();
+
+        try {
+            String keyWrapAlgo = getXMLEncryptionURLForKeyUnwrap(pubKeyAlg, keySize);
+            keyCipher = XMLCipher.getInstance(keyWrapAlgo);
+
+            keyCipher.init(XMLCipher.WRAP_MODE, keyUsedToEncryptSecretKey);
+            return keyCipher.encryptKey(document, keyToBeEncrypted);
+        } catch (XMLEncryptionException e) {
+            throw logger.processingError(e);
+        }
+    }
+
+    /**
+     * Given an element in a Document, encrypt the element and replace the element in the document with the encrypted
+     * data
+     *
+     * @param elementQName QName of the element that we like to encrypt
+     * @param publicKey
+     * @param secretKey
+     * @param keySize
+     * @param wrappingElementQName A QName of an element that will wrap the encrypted element
+     * @param addEncryptedKeyInKeyInfo Need for the EncryptedKey to be placed in ds:KeyInfo
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public static void encryptElement(QName elementQName, Document document, PublicKey publicKey, SecretKey secretKey,
+                                      int keySize, QName wrappingElementQName, boolean addEncryptedKeyInKeyInfo) throws ProcessingException {
+        if (elementQName == null)
+            throw logger.nullArgumentError("elementQName");
+        if (document == null)
+            throw logger.nullArgumentError("document");
+        String wrappingElementPrefix = wrappingElementQName.getPrefix();
+        if (wrappingElementPrefix == null || wrappingElementPrefix == "")
+            throw logger.wrongTypeError("Wrapping element prefix invalid");
+
+        Element documentElement = DocumentUtil.getElement(document, elementQName);
+
+        if (documentElement == null)
+            throw logger.domMissingDocElementError(elementQName.toString());
+
+        XMLCipher cipher = null;
+        EncryptedKey encryptedKey = encryptKey(document, secretKey, publicKey, keySize);
+
+        String encryptionAlgorithm = getXMLEncryptionURL(secretKey.getAlgorithm(), keySize);
+        // Encrypt the Document
+        try {
+            cipher = XMLCipher.getInstance(encryptionAlgorithm);
+            cipher.init(XMLCipher.ENCRYPT_MODE, secretKey);
+        } catch (XMLEncryptionException e1) {
+            throw logger.processingError(e1);
+        }
+
+        Document encryptedDoc;
+        try {
+            encryptedDoc = cipher.doFinal(document, documentElement);
+        } catch (Exception e) {
+            throw logger.processingError(e);
+        }
+
+        // The EncryptedKey element is added
+        Element encryptedKeyElement = cipher.martial(document, encryptedKey);
+
+        String wrappingElementName = wrappingElementPrefix + ":" + wrappingElementQName.getLocalPart();
+
+        // Create the wrapping element and set its attribute NS
+        Element wrappingElement = encryptedDoc.createElementNS(wrappingElementQName.getNamespaceURI(), wrappingElementName);
+
+        if (StringUtil.isNullOrEmpty(wrappingElementPrefix)) {
+            wrappingElementName = wrappingElementQName.getLocalPart();
+        }
+        wrappingElement.setAttributeNS(XMLNS, "xmlns:" + wrappingElementPrefix, wrappingElementQName.getNamespaceURI());
+
+        // Get Hold of the Cipher Data
+        NodeList cipherElements = encryptedDoc.getElementsByTagNameNS(XMLENC_NS, "EncryptedData");
+        if (cipherElements == null || cipherElements.getLength() == 0)
+            throw logger.domMissingElementError("xenc:EncryptedData");
+        Element encryptedDataElement = (Element) cipherElements.item(0);
+
+        Node parentOfEncNode = encryptedDataElement.getParentNode();
+        parentOfEncNode.replaceChild(wrappingElement, encryptedDataElement);
+
+        wrappingElement.appendChild(encryptedDataElement);
+
+        if (addEncryptedKeyInKeyInfo) {
+            // Outer ds:KeyInfo Element to hold the EncryptionKey
+            Element sigElement = encryptedDoc.createElementNS(XMLSIG_NS, DS_KEY_INFO);
+            sigElement.setAttributeNS(XMLNS, "xmlns:ds", XMLSIG_NS);
+            sigElement.appendChild(encryptedKeyElement);
+
+            // Insert the Encrypted key before the CipherData element
+            NodeList nodeList = encryptedDoc.getElementsByTagNameNS(XMLENC_NS, CIPHER_DATA_LOCALNAME);
+            if (nodeList == null || nodeList.getLength() == 0)
+                throw logger.domMissingElementError("xenc:CipherData");
+            Element cipherDataElement = (Element) nodeList.item(0);
+            Node cipherParent = cipherDataElement.getParentNode();
+            cipherParent.insertBefore(sigElement, cipherDataElement);
+        } else {
+            // Add the encrypted key as a child of the wrapping element
+            wrappingElement.appendChild(encryptedKeyElement);
+        }
+    }
+
+    /**
+     * <p>
+     * Encrypts an element in a XML document using the specified public key, secret key, and key size. This method
+     * doesn't wrap
+     * the encrypted element in a new element. Instead, it replaces the element with its encrypted version.
+     * </p>
+     * <p>
+     * For example, calling this method to encrypt the <tt><b>inner</b></tt> element in the following XML document
+     *
+     * <pre>
+     *    &lt;root&gt;
+     *       &lt;outer&gt;
+     *          &lt;inner&gt;
+     *             ...
+     *          &lt;/inner&gt;
+     *       &lt;/outer&gt;
+     *    &lt;/root&gt;
+     * </pre>
+     *
+     * would result in a document similar to
+     *
+     * <pre>
+     *    &lt;root&gt;
+     *       &lt;outer&gt;
+     *          &lt;xenc:EncryptedData xmlns:xenc="..."&gt;
+     *             ...
+     *          &lt;/xenc:EncryptedData&gt;
+     *       &lt;/outer&gt;
+     *    &lt;/root&gt;
+     * </pre>
+     *
+     * </p>
+     *
+     * @param document the {@code Document} that contains the element to be encrypted.
+     * @param element the {@code Element} to be encrypted.
+     * @param publicKey the {@code PublicKey} that must be used to encrypt the secret key.
+     * @param secretKey the {@code SecretKey} used to encrypt the specified element.
+     * @param keySize the size (in bits) of the secret key.
+     *
+     * @throws ProcessingException if an error occurs while encrypting the element with the specified params.
+     */
+    public static void encryptElement(Document document, Element element, PublicKey publicKey, SecretKey secretKey, int keySize)
+            throws ProcessingException {
+        if (element == null)
+            throw logger.nullArgumentError("element");
+        if (document == null)
+            throw logger.nullArgumentError("document");
+
+        XMLCipher cipher = null;
+        EncryptedKey encryptedKey = encryptKey(document, secretKey, publicKey, keySize);
+        String encryptionAlgorithm = getXMLEncryptionURL(secretKey.getAlgorithm(), keySize);
+
+        // Encrypt the Document
+        try {
+            cipher = XMLCipher.getInstance(encryptionAlgorithm);
+            cipher.init(XMLCipher.ENCRYPT_MODE, secretKey);
+        } catch (XMLEncryptionException e1) {
+            throw logger.processingError(e1);
+        }
+
+        Document encryptedDoc;
+        try {
+            encryptedDoc = cipher.doFinal(document, element);
+        } catch (Exception e) {
+            throw logger.processingError(e);
+        }
+
+        // The EncryptedKey element is added
+        Element encryptedKeyElement = cipher.martial(document, encryptedKey);
+
+        // Outer ds:KeyInfo Element to hold the EncryptionKey
+        Element sigElement = encryptedDoc.createElementNS(XMLSIG_NS, DS_KEY_INFO);
+        sigElement.setAttributeNS(XMLNS, "xmlns:ds", XMLSIG_NS);
+        sigElement.appendChild(encryptedKeyElement);
+
+        // Insert the Encrypted key before the CipherData element
+        NodeList nodeList = encryptedDoc.getElementsByTagNameNS(XMLENC_NS, CIPHER_DATA_LOCALNAME);
+        if (nodeList == null || nodeList.getLength() == 0)
+            throw logger.domMissingElementError("xenc:CipherData");
+        Element cipherDataElement = (Element) nodeList.item(0);
+        Node cipherParent = cipherDataElement.getParentNode();
+        cipherParent.insertBefore(sigElement, cipherDataElement);
+    }
+
+    /**
+     * Encrypt the root document element inside a Document. <b>NOTE:</> The document root element will be replaced by
+     * the
+     * wrapping element.
+     *
+     * @param document Document that contains an element to encrypt
+     * @param publicKey The Public Key used to encrypt the secret encryption key
+     * @param secretKey The secret encryption key
+     * @param keySize Length of key
+     * @param wrappingElementQName QName of the element to be used to wrap around the cipher data.
+     * @param addEncryptedKeyInKeyInfo Should the encrypted key be inside a KeyInfo or added as a peer of Cipher Data
+     *
+     * @return An element that has the wrappingElementQName
+     *
+     * @throws ProcessingException
+     * @throws org.keycloak.saml.common.exceptions.ConfigurationException
+     */
+    public static Element encryptElementInDocument(Document document, PublicKey publicKey, SecretKey secretKey, int keySize,
+                                                   QName wrappingElementQName, boolean addEncryptedKeyInKeyInfo) throws ProcessingException, ConfigurationException {
+        String wrappingElementPrefix = wrappingElementQName.getPrefix();
+        if (wrappingElementPrefix == null || wrappingElementPrefix == "")
+            throw logger.wrongTypeError("Wrapping element prefix invalid");
+
+        XMLCipher cipher = null;
+        EncryptedKey encryptedKey = encryptKey(document, secretKey, publicKey, keySize);
+
+        String encryptionAlgorithm = getXMLEncryptionURL(secretKey.getAlgorithm(), keySize);
+        // Encrypt the Document
+        try {
+            cipher = XMLCipher.getInstance(encryptionAlgorithm);
+            cipher.init(XMLCipher.ENCRYPT_MODE, secretKey);
+        } catch (XMLEncryptionException e1) {
+            throw logger.configurationError(e1);
+        }
+
+        Document encryptedDoc;
+        try {
+            encryptedDoc = cipher.doFinal(document, document.getDocumentElement());
+        } catch (Exception e) {
+            throw logger.processingError(e);
+        }
+
+        // The EncryptedKey element is added
+        Element encryptedKeyElement = cipher.martial(document, encryptedKey);
+
+        String wrappingElementName = wrappingElementPrefix + ":" + wrappingElementQName.getLocalPart();
+
+        // Create the wrapping element and set its attribute NS
+        Element wrappingElement = encryptedDoc.createElementNS(wrappingElementQName.getNamespaceURI(), wrappingElementName);
+
+        if (StringUtil.isNullOrEmpty(wrappingElementPrefix)) {
+            wrappingElementName = wrappingElementQName.getLocalPart();
+        }
+        wrappingElement.setAttributeNS(XMLNS, "xmlns:" + wrappingElementPrefix, wrappingElementQName.getNamespaceURI());
+
+        Element encryptedDocRootElement = encryptedDoc.getDocumentElement();
+        // Bring in the encrypted wrapping element to wrap the root node
+        encryptedDoc.replaceChild(wrappingElement, encryptedDocRootElement);
+
+        wrappingElement.appendChild(encryptedDocRootElement);
+
+        if (addEncryptedKeyInKeyInfo) {
+            // Outer ds:KeyInfo Element to hold the EncryptionKey
+            Element sigElement = encryptedDoc.createElementNS(XMLSIG_NS, DS_KEY_INFO);
+            sigElement.setAttributeNS(XMLNS, "xmlns:ds", XMLSIG_NS);
+            sigElement.appendChild(encryptedKeyElement);
+
+            // Insert the Encrypted key before the CipherData element
+            NodeList nodeList = encryptedDocRootElement.getElementsByTagNameNS(XMLENC_NS, CIPHER_DATA_LOCALNAME);
+            if (nodeList == null || nodeList.getLength() == 0)
+                throw logger.domMissingElementError("xenc:CipherData");
+
+            Element cipherDataElement = (Element) nodeList.item(0);
+            encryptedDocRootElement.insertBefore(sigElement, cipherDataElement);
+        } else {
+            // Add the encrypted key as a child of the wrapping element
+            wrappingElement.appendChild(encryptedKeyElement);
+        }
+
+        return encryptedDoc.getDocumentElement();
+    }
+
+    /**
+     * Decrypt an encrypted element inside a document
+     *
+     * @param documentWithEncryptedElement
+     * @param privateKey key need to unwrap the encryption key
+     *
+     * @return the document with the encrypted element replaced by the data element
+     *
+     * @throws XMLEncryptionException
+     * @throws ProcessingException
+     */
+    public static Element decryptElementInDocument(Document documentWithEncryptedElement, PrivateKey privateKey)
+            throws ProcessingException {
+        if (documentWithEncryptedElement == null)
+            throw logger.nullArgumentError("Input document is null");
+
+        // Look for encrypted data element
+        Element documentRoot = documentWithEncryptedElement.getDocumentElement();
+        Element encDataElement = getNextElementNode(documentRoot.getFirstChild());
+        if (encDataElement == null)
+            throw logger.domMissingElementError("No element representing the encrypted data found");
+
+        // Look at siblings for the key
+        Element encKeyElement = getNextElementNode(encDataElement.getNextSibling());
+        if (encKeyElement == null) {
+            // Search the enc data element for enc key
+            NodeList nodeList = encDataElement.getElementsByTagNameNS(XMLENC_NS, ENCRYPTED_KEY_LOCALNAME);
+
+            if (nodeList == null || nodeList.getLength() == 0)
+                throw logger.nullValueError("Encrypted Key not found in the enc data");
+
+            encKeyElement = (Element) nodeList.item(0);
+        }
+
+        XMLCipher cipher;
+        EncryptedData encryptedData;
+        EncryptedKey encryptedKey;
+        try {
+            cipher = XMLCipher.getInstance();
+            cipher.init(XMLCipher.DECRYPT_MODE, null);
+            encryptedData = cipher.loadEncryptedData(documentWithEncryptedElement, encDataElement);
+            encryptedKey = cipher.loadEncryptedKey(documentWithEncryptedElement, encKeyElement);
+        } catch (XMLEncryptionException e1) {
+            throw logger.processingError(e1);
+        }
+
+        Document decryptedDoc = null;
+
+        if (encryptedData != null && encryptedKey != null) {
+            try {
+                String encAlgoURL = encryptedData.getEncryptionMethod().getAlgorithm();
+                XMLCipher keyCipher = XMLCipher.getInstance();
+                keyCipher.init(XMLCipher.UNWRAP_MODE, privateKey);
+                Key encryptionKey = keyCipher.decryptKey(encryptedKey, encAlgoURL);
+                cipher = XMLCipher.getInstance();
+                cipher.init(XMLCipher.DECRYPT_MODE, encryptionKey);
+
+                decryptedDoc = cipher.doFinal(documentWithEncryptedElement, encDataElement);
+            } catch (Exception e) {
+                throw logger.processingError(e);
+            }
+        }
+
+        if(decryptedDoc == null){
+            throw logger.nullValueError("decryptedDoc");
+        }
+
+        Element decryptedRoot = decryptedDoc.getDocumentElement();
+        Element dataElement = getNextElementNode(decryptedRoot.getFirstChild());
+        if (dataElement == null)
+            throw logger.nullValueError("Data Element after encryption is null");
+
+        decryptedRoot.removeChild(dataElement);
+        decryptedDoc.replaceChild(dataElement, decryptedRoot);
+
+        return decryptedDoc.getDocumentElement();
+    }
+
+    /**
+     * From the secret key, get the W3C XML Encryption URL
+     *
+     * @param publicKeyAlgo
+     * @param keySize
+     *
+     * @return
+     */
+    private static String getXMLEncryptionURLForKeyUnwrap(String publicKeyAlgo, int keySize) {
+        if ("AES".equals(publicKeyAlgo)) {
+            switch (keySize) {
+                case 192:
+                    return XMLCipher.AES_192_KeyWrap;
+                case 256:
+                    return XMLCipher.AES_256_KeyWrap;
+                default:
+                    return XMLCipher.AES_128_KeyWrap;
+            }
+        }
+        if (publicKeyAlgo.contains("RSA"))
+            return XMLCipher.RSA_v1dot5;
+        if (publicKeyAlgo.contains("DES"))
+            return XMLCipher.TRIPLEDES_KeyWrap;
+        throw logger.unsupportedType("unsupported publicKey Algo:" + publicKeyAlgo);
+    }
+
+    /**
+     * From the secret key, get the W3C XML Encryption URL
+     *
+     * @param secretKey
+     * @param keySize
+     *
+     * @return
+     */
+    private static String getXMLEncryptionURL(String algo, int keySize) {
+        if ("AES".equals(algo)) {
+            switch (keySize) {
+                case 192:
+                    return XMLCipher.AES_192;
+                case 256:
+                    return XMLCipher.AES_256;
+                default:
+                    return XMLCipher.AES_128;
+            }
+        }
+        if (algo.contains("RSA"))
+            return XMLCipher.RSA_v1dot5;
+        if (algo.contains("DES"))
+            return XMLCipher.TRIPLEDES_KeyWrap;
+        throw logger.unsupportedType("Secret Key with unsupported algo:" + algo);
+    }
+
+    /**
+     * Returns the next Element node.
+     */
+    private static Element getNextElementNode(Node node) {
+        while (node != null) {
+            if (Node.ELEMENT_NODE == node.getNodeType())
+                return (Element) node;
+            node = node.getNextSibling();
+        }
+        return null;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java
new file mode 100755
index 0000000000..aa4322e96e
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/core/util/XMLSignatureUtil.java
@@ -0,0 +1,754 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.core.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.constants.WSTrustConstants;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.Base64;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.common.util.StringUtil;
+import org.keycloak.saml.common.util.SystemPropertiesUtil;
+import org.keycloak.saml.common.util.TransformerUtil;
+import org.keycloak.dom.xmlsec.w3.xmldsig.DSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.KeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.RSAKeyValueType;
+import org.keycloak.dom.xmlsec.w3.xmldsig.SignatureType;
+import org.w3c.dom.Attr;
+import org.w3c.dom.Document;
+import org.w3c.dom.Element;
+import org.w3c.dom.NamedNodeMap;
+import org.w3c.dom.Node;
+import org.w3c.dom.NodeList;
+import org.xml.sax.SAXException;
+
+import javax.xml.bind.JAXBException;
+import javax.xml.crypto.MarshalException;
+import javax.xml.crypto.dsig.CanonicalizationMethod;
+import javax.xml.crypto.dsig.DigestMethod;
+import javax.xml.crypto.dsig.Reference;
+import javax.xml.crypto.dsig.SignatureMethod;
+import javax.xml.crypto.dsig.SignedInfo;
+import javax.xml.crypto.dsig.Transform;
+import javax.xml.crypto.dsig.XMLSignature;
+import javax.xml.crypto.dsig.XMLSignatureException;
+import javax.xml.crypto.dsig.XMLSignatureFactory;
+import javax.xml.crypto.dsig.dom.DOMSignContext;
+import javax.xml.crypto.dsig.dom.DOMValidateContext;
+import javax.xml.crypto.dsig.keyinfo.KeyInfo;
+import javax.xml.crypto.dsig.keyinfo.KeyInfoFactory;
+import javax.xml.crypto.dsig.keyinfo.KeyValue;
+import javax.xml.crypto.dsig.keyinfo.X509Data;
+import javax.xml.crypto.dsig.spec.C14NMethodParameterSpec;
+import javax.xml.crypto.dsig.spec.TransformParameterSpec;
+import javax.xml.namespace.QName;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.transform.Transformer;
+import javax.xml.transform.TransformerException;
+import javax.xml.transform.TransformerFactory;
+import javax.xml.transform.stream.StreamResult;
+import java.io.ByteArrayInputStream;
+import java.io.OutputStream;
+import java.security.GeneralSecurityException;
+import java.security.Key;
+import java.security.KeyException;
+import java.security.KeyPair;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.DSAPublicKey;
+import java.security.interfaces.RSAPublicKey;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+
+/**
+ * Utility for XML Signature <b>Note:</b> You can change the canonicalization method type by using the system property
+ * "picketlink.xmlsig.canonicalization"
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @author alessio.soldano@jboss.com
+ * @since Dec 15, 2008
+ */
+public class XMLSignatureUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    // Set some system properties and Santuario providers. Run this block before any other class initialization.
+    static {
+        ProvidersUtil.ensure();
+        SystemPropertiesUtil.ensure();
+        String keyInfoProp = SecurityActions.getSystemProperty("picketlink.xmlsig.includeKeyInfo", null);
+        if (StringUtil.isNotNull(keyInfoProp)) {
+            includeKeyInfoInSignature = Boolean.parseBoolean(keyInfoProp);
+        }
+    }
+
+    ;
+
+    private static String canonicalizationMethodType = CanonicalizationMethod.EXCLUSIVE_WITH_COMMENTS;
+
+    private static XMLSignatureFactory fac = getXMLSignatureFactory();
+
+    /**
+     * By default, we include the keyinfo in the signature
+     */
+    private static boolean includeKeyInfoInSignature = true;
+
+    private static XMLSignatureFactory getXMLSignatureFactory() {
+        XMLSignatureFactory xsf = null;
+
+        try {
+            xsf = XMLSignatureFactory.getInstance("DOM", "ApacheXMLDSig");
+        } catch (NoSuchProviderException ex) {
+            try {
+                xsf = XMLSignatureFactory.getInstance("DOM");
+            } catch (Exception err) {
+                throw new RuntimeException(logger.couldNotCreateInstance("DOM", err));
+            }
+        }
+        return xsf;
+    }
+
+    /**
+     * Set the canonicalization method type
+     *
+     * @param canonical
+     */
+    public static void setCanonicalizationMethodType(String canonical) {
+        if (canonical != null)
+            canonicalizationMethodType = canonical;
+    }
+
+    /**
+     * Use this method to not include the KeyInfo in the signature
+     *
+     * @param includeKeyInfoInSignature
+     *
+     * @since v2.0.1
+     */
+    public static void setIncludeKeyInfoInSignature(boolean includeKeyInfoInSignature) {
+        XMLSignatureUtil.includeKeyInfoInSignature = includeKeyInfoInSignature;
+    }
+
+    /**
+     * Precheck whether the document that will be validated has the right signedinfo
+     *
+     * @param doc
+     *
+     * @return
+     */
+    public static boolean preCheckSignedInfo(Document doc) {
+        NodeList nl = doc.getElementsByTagNameNS(JBossSAMLURIConstants.XMLDSIG_NSURI.get(), "SignedInfo");
+        return nl != null ? nl.getLength() > 0 : false;
+    }
+
+    /**
+     * Sign a node in a document
+     *
+     * @param doc Document
+     * @param parentOfNodeToBeSigned Parent Node of the node to be signed
+     * @param signingKey Private Key
+     * @param certificate X509 Certificate holding the public key
+     * @param digestMethod (Example: DigestMethod.SHA1)
+     * @param signatureMethod (Example: SignatureMethod.DSA_SHA1)
+     * @param referenceURI
+     *
+     * @return Document that contains the signed node
+     *
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     * @throws GeneralSecurityException
+     * @throws ParserConfigurationException
+     */
+    public static Document sign(Document doc, Node parentOfNodeToBeSigned, PrivateKey signingKey, X509Certificate certificate,
+                                String digestMethod, String signatureMethod, String referenceURI) throws ParserConfigurationException,
+            GeneralSecurityException, MarshalException, XMLSignatureException {
+        KeyPair keyPair = new KeyPair(certificate.getPublicKey(), signingKey);
+        return sign(doc, parentOfNodeToBeSigned, keyPair, digestMethod, signatureMethod, referenceURI);
+    }
+
+    /**
+     * Sign a node in a document
+     *
+     * @param doc
+     * @param nodeToBeSigned
+     * @param keyPair
+     * @param publicKey
+     * @param digestMethod
+     * @param signatureMethod
+     * @param referenceURI
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     * @throws GeneralSecurityException
+     */
+    public static Document sign(Document doc, Node nodeToBeSigned, KeyPair keyPair, String digestMethod,
+                                String signatureMethod, String referenceURI) throws ParserConfigurationException, GeneralSecurityException,
+            MarshalException, XMLSignatureException {
+        if (nodeToBeSigned == null)
+            throw logger.nullArgumentError("Node to be signed");
+
+        if (logger.isTraceEnabled()) {
+            logger.trace("Document to be signed=" + DocumentUtil.asString(doc));
+        }
+
+        Node parentNode = nodeToBeSigned.getParentNode();
+
+        // Let us create a new Document
+        Document newDoc = DocumentUtil.createDocument();
+        // Import the node
+        Node signingNode = newDoc.importNode(nodeToBeSigned, true);
+        newDoc.appendChild(signingNode);
+
+        if (!referenceURI.isEmpty()) {
+            propagateIDAttributeSetup(nodeToBeSigned, newDoc.getDocumentElement());
+        }
+        newDoc = sign(newDoc, keyPair, digestMethod, signatureMethod, referenceURI);
+
+        // if the signed element is a SAMLv2.0 assertion we need to move the signature element to the position
+        // specified in the schema (before the assertion subject element).
+        if (nodeToBeSigned.getLocalName().equals("Assertion")
+                && WSTrustConstants.SAML2_ASSERTION_NS.equals(nodeToBeSigned.getNamespaceURI())) {
+            Node signatureNode = DocumentUtil.getElement(newDoc, new QName(WSTrustConstants.DSIG_NS, "Signature"));
+            Node subjectNode = DocumentUtil.getElement(newDoc, new QName(WSTrustConstants.SAML2_ASSERTION_NS, "Subject"));
+            if (signatureNode != null && subjectNode != null) {
+                newDoc.getDocumentElement().removeChild(signatureNode);
+                newDoc.getDocumentElement().insertBefore(signatureNode, subjectNode);
+            }
+        }
+
+        // Now let us import this signed doc into the original document we got in the method call
+        Node signedNode = doc.importNode(newDoc.getFirstChild(), true);
+
+        if (!referenceURI.isEmpty()) {
+            propagateIDAttributeSetup(newDoc.getDocumentElement(), (Element) signedNode);
+        }
+
+        parentNode.replaceChild(signedNode, nodeToBeSigned);
+        // doc.getDocumentElement().replaceChild(signedNode, nodeToBeSigned);
+
+        return doc;
+    }
+
+    /**
+     * Sign a node in a document
+     *
+     * @param doc
+     * @param nodeToBeSigned
+     * @param keyPair
+     * @param publicKey
+     * @param digestMethod
+     * @param signatureMethod
+     * @param referenceURI
+     *
+     * @return
+     *
+     * @throws ParserConfigurationException
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     * @throws GeneralSecurityException
+     */
+    public static Document sign(Document doc, Node nodeToBeSigned, KeyPair keyPair, String digestMethod,
+                                String signatureMethod, String referenceURI, X509Certificate x509Certificate) throws ParserConfigurationException, GeneralSecurityException,
+            MarshalException, XMLSignatureException {
+        if (nodeToBeSigned == null)
+            throw logger.nullArgumentError("Node to be signed");
+
+        if (logger.isTraceEnabled()) {
+            logger.trace("Document to be signed=" + DocumentUtil.asString(doc));
+        }
+
+        Node parentNode = nodeToBeSigned.getParentNode();
+
+        // Let us create a new Document
+        Document newDoc = DocumentUtil.createDocument();
+        // Import the node
+        Node signingNode = newDoc.importNode(nodeToBeSigned, true);
+        newDoc.appendChild(signingNode);
+
+        if (!referenceURI.isEmpty()) {
+            propagateIDAttributeSetup(nodeToBeSigned, newDoc.getDocumentElement());
+        }
+        newDoc = sign(newDoc, keyPair, digestMethod, signatureMethod, referenceURI, x509Certificate);
+
+        // if the signed element is a SAMLv2.0 assertion we need to move the signature element to the position
+        // specified in the schema (before the assertion subject element).
+        if (nodeToBeSigned.getLocalName().equals("Assertion")
+                && WSTrustConstants.SAML2_ASSERTION_NS.equals(nodeToBeSigned.getNamespaceURI())) {
+            Node signatureNode = DocumentUtil.getElement(newDoc, new QName(WSTrustConstants.DSIG_NS, "Signature"));
+            Node subjectNode = DocumentUtil.getElement(newDoc, new QName(WSTrustConstants.SAML2_ASSERTION_NS, "Subject"));
+            if (signatureNode != null && subjectNode != null) {
+                newDoc.getDocumentElement().removeChild(signatureNode);
+                newDoc.getDocumentElement().insertBefore(signatureNode, subjectNode);
+            }
+        }
+
+        // Now let us import this signed doc into the original document we got in the method call
+        Node signedNode = doc.importNode(newDoc.getFirstChild(), true);
+
+        if (!referenceURI.isEmpty()) {
+            propagateIDAttributeSetup(newDoc.getDocumentElement(), (Element) signedNode);
+        }
+
+        parentNode.replaceChild(signedNode, nodeToBeSigned);
+        // doc.getDocumentElement().replaceChild(signedNode, nodeToBeSigned);
+
+        return doc;
+    }
+
+    /**
+     * Sign only specified element (assumption is that it already has ID attribute set)
+     *
+     * @param elementToSign element to sign with set ID
+     * @param nextSibling child of elementToSign, which will be used as next sibling of created signature
+     * @param keyPair
+     * @param digestMethod
+     * @param signatureMethod
+     * @param referenceURI
+     *
+     * @throws GeneralSecurityException
+     * @throws MarshalException
+     * @throws XMLSignatureException
+     */
+    public static void sign(Element elementToSign, Node nextSibling, KeyPair keyPair, String digestMethod,
+                            String signatureMethod, String referenceURI)
+            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        sign(elementToSign, nextSibling, keyPair, digestMethod, signatureMethod, referenceURI, null);
+    }
+
+    /**
+     * Sign only specified element (assumption is that it already has ID attribute set)
+     *
+     * @param elementToSign element to sign with set ID
+     * @param nextSibling child of elementToSign, which will be used as next sibling of created signature
+     * @param keyPair
+     * @param digestMethod
+     * @param signatureMethod
+     * @param referenceURI
+     * @param x509Certificate {@link X509Certificate} to be placed in SignedInfo
+     *
+     * @throws GeneralSecurityException
+     * @throws MarshalException
+     * @throws XMLSignatureException
+     * @since 2.5.0
+     */
+    public static void sign(Element elementToSign, Node nextSibling, KeyPair keyPair, String digestMethod,
+                            String signatureMethod, String referenceURI, X509Certificate x509Certificate)
+            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        PrivateKey signingKey = keyPair.getPrivate();
+        PublicKey publicKey = keyPair.getPublic();
+
+        DOMSignContext dsc = new DOMSignContext(signingKey, elementToSign, nextSibling);
+
+        signImpl(dsc, digestMethod, signatureMethod, referenceURI, publicKey, x509Certificate);
+    }
+
+    /**
+     * Setup the ID attribute into <code>destElement</code> depending on the <code>isId</code> flag of an attribute of
+     * <code>sourceNode</code>.
+     *
+     * @param sourceNode
+     * @param destDocElement
+     */
+    public static void propagateIDAttributeSetup(Node sourceNode, Element destElement) {
+        NamedNodeMap nnm = sourceNode.getAttributes();
+        for (int i = 0; i < nnm.getLength(); i++) {
+            Attr attr = (Attr) nnm.item(i);
+            if (attr.isId()) {
+                destElement.setIdAttribute(attr.getName(), true);
+                break;
+            }
+        }
+    }
+
+    /**
+     * Sign the root element
+     *
+     * @param doc
+     * @param signingKey
+     * @param publicKey
+     * @param digestMethod
+     * @param signatureMethod
+     * @param referenceURI
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     */
+    public static Document sign(Document doc, KeyPair keyPair, String digestMethod, String signatureMethod, String referenceURI)
+            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        return sign(doc, keyPair, digestMethod, signatureMethod, referenceURI, null);
+    }
+
+    /**
+     * Sign the root element
+     *
+     * @param doc
+     * @param signingKey
+     * @param publicKey
+     * @param digestMethod
+     * @param signatureMethod
+     * @param referenceURI
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     * @since 2.5.0
+     */
+    public static Document sign(Document doc, KeyPair keyPair, String digestMethod, String signatureMethod, String referenceURI,
+                                X509Certificate x509Certificate)
+            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        logger.trace("Document to be signed=" + DocumentUtil.asString(doc));
+        PrivateKey signingKey = keyPair.getPrivate();
+        PublicKey publicKey = keyPair.getPublic();
+
+        DOMSignContext dsc = new DOMSignContext(signingKey, doc.getDocumentElement());
+
+        signImpl(dsc, digestMethod, signatureMethod, referenceURI, publicKey, x509Certificate);
+
+        return doc;
+    }
+
+    /**
+     * Sign the root element
+     *
+     * @param doc
+     * @param signingKey
+     * @param publicKey
+     * @param digestMethod
+     * @param signatureMethod
+     * @param referenceURI
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     * @throws XMLSignatureException
+     * @throws MarshalException
+     */
+    public static Document sign(SignatureUtilTransferObject dto) throws GeneralSecurityException, MarshalException,
+            XMLSignatureException {
+        Document doc = dto.getDocumentToBeSigned();
+        KeyPair keyPair = dto.getKeyPair();
+        Node nextSibling = dto.getNextSibling();
+        String digestMethod = dto.getDigestMethod();
+        String referenceURI = dto.getReferenceURI();
+        String signatureMethod = dto.getSignatureMethod();
+
+        logger.trace("Document to be signed=" + DocumentUtil.asString(doc));
+
+        PrivateKey signingKey = keyPair.getPrivate();
+        PublicKey publicKey = keyPair.getPublic();
+
+        DOMSignContext dsc = new DOMSignContext(signingKey, doc.getDocumentElement(), nextSibling);
+
+        signImpl(dsc, digestMethod, signatureMethod, referenceURI, publicKey, dto.getX509Certificate());
+
+        return doc;
+    }
+
+    /**
+     * Validate a signed document with the given public key
+     *
+     * @param signedDoc
+     * @param publicKey
+     *
+     * @return
+     *
+     * @throws MarshalException
+     * @throws XMLSignatureException
+     */
+    @SuppressWarnings("unchecked")
+    public static boolean validate(Document signedDoc, Key publicKey) throws MarshalException, XMLSignatureException {
+        if (signedDoc == null)
+            throw logger.nullArgumentError("Signed Document");
+
+        propagateIDAttributeSetup(signedDoc.getDocumentElement(), signedDoc.getDocumentElement());
+
+        NodeList nl = signedDoc.getElementsByTagNameNS(XMLSignature.XMLNS, "Signature");
+
+        if (nl == null || nl.getLength() == 0) {
+            throw logger.nullValueError("Cannot find Signature element");
+        }
+
+        if (publicKey == null)
+            throw logger.nullValueError("Public Key");
+
+        for (int i = 0; i < nl.getLength(); i++) {
+            DOMValidateContext valContext = new DOMValidateContext(publicKey, nl.item(i));
+            XMLSignature signature = fac.unmarshalXMLSignature(valContext);
+
+            boolean coreValidity = signature.validate(valContext);
+
+            if (!coreValidity) {
+                if (logger.isTraceEnabled()) {
+                    boolean sv = signature.getSignatureValue().validate(valContext);
+                    logger.trace("Signature validation status: " + sv);
+
+                    List<Reference> references = signature.getSignedInfo().getReferences();
+                    for (Reference ref : references) {
+                        logger.trace("[Ref id=" + ref.getId() + ":uri=" + ref.getURI() + "]validity status:" + ref.validate(valContext));
+                    }
+                }
+
+                return false;
+            }
+        }
+
+        return true;
+    }
+
+    /**
+     * Marshall a SignatureType to output stream
+     *
+     * @param signature
+     * @param os
+     *
+     * @throws SAXException
+     * @throws JAXBException
+     */
+    public static void marshall(SignatureType signature, OutputStream os) throws JAXBException, SAXException {
+        throw logger.notImplementedYet("NYI");
+        /*
+         * JAXBElement<SignatureType> jsig = objectFactory.createSignature(signature); Marshaller marshaller =
+         * JAXBUtil.getValidatingMarshaller(pkgName, schemaLocation); marshaller.marshal(jsig, os);
+         */
+    }
+
+    /**
+     * Marshall the signed document to an output stream
+     *
+     * @param signedDocument
+     * @param os
+     *
+     * @throws TransformerException
+     */
+    public static void marshall(Document signedDocument, OutputStream os) throws TransformerException {
+        TransformerFactory tf = TransformerUtil.getTransformerFactory();
+        Transformer trans = tf.newTransformer();
+        trans.transform(DocumentUtil.getXMLSource(signedDocument), new StreamResult(os));
+    }
+
+    /**
+     * Given the X509Certificate in the keyinfo element, get a {@link X509Certificate}
+     *
+     * @param certificateString
+     *
+     * @return
+     *
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     */
+    public static X509Certificate getX509CertificateFromKeyInfoString(String certificateString) throws ProcessingException {
+        X509Certificate cert = null;
+        StringBuilder builder = new StringBuilder();
+        builder.append("-----BEGIN CERTIFICATE-----\n").append(certificateString).append("\n-----END CERTIFICATE-----");
+
+        String derFormattedString = builder.toString();
+
+        try {
+            CertificateFactory cf = CertificateFactory.getInstance("X.509");
+            ByteArrayInputStream bais = new ByteArrayInputStream(derFormattedString.getBytes());
+
+            while (bais.available() > 0) {
+                cert = (X509Certificate) cf.generateCertificate(bais);
+            }
+        } catch (java.security.cert.CertificateException e) {
+            throw logger.processingError(e);
+        }
+        return cert;
+    }
+
+    /**
+     * Given a dsig:DSAKeyValue element, return {@link DSAKeyValueType}
+     *
+     * @param element
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public static DSAKeyValueType getDSAKeyValue(Element element) throws ParsingException {
+        DSAKeyValueType dsa = new DSAKeyValueType();
+        NodeList nl = element.getChildNodes();
+        int length = nl.getLength();
+
+        for (int i = 0; i < length; i++) {
+            Node node = nl.item(i);
+            if (node instanceof Element) {
+                Element childElement = (Element) node;
+                String tag = childElement.getLocalName();
+
+                byte[] text = childElement.getTextContent().getBytes();
+
+                if (WSTrustConstants.XMLDSig.P.equals(tag)) {
+                    dsa.setP(text);
+                } else if (WSTrustConstants.XMLDSig.Q.equals(tag)) {
+                    dsa.setQ(text);
+                } else if (WSTrustConstants.XMLDSig.G.equals(tag)) {
+                    dsa.setG(text);
+                } else if (WSTrustConstants.XMLDSig.Y.equals(tag)) {
+                    dsa.setY(text);
+                } else if (WSTrustConstants.XMLDSig.SEED.equals(tag)) {
+                    dsa.setSeed(text);
+                } else if (WSTrustConstants.XMLDSig.PGEN_COUNTER.equals(tag)) {
+                    dsa.setPgenCounter(text);
+                }
+            }
+        }
+
+        return dsa;
+    }
+
+    /**
+     * Given a dsig:DSAKeyValue element, return {@link DSAKeyValueType}
+     *
+     * @param element
+     *
+     * @return
+     *
+     * @throws ProcessingException
+     */
+    public static RSAKeyValueType getRSAKeyValue(Element element) throws ParsingException {
+        RSAKeyValueType rsa = new RSAKeyValueType();
+        NodeList nl = element.getChildNodes();
+        int length = nl.getLength();
+
+        for (int i = 0; i < length; i++) {
+            Node node = nl.item(i);
+            if (node instanceof Element) {
+                Element childElement = (Element) node;
+                String tag = childElement.getLocalName();
+
+                byte[] text = childElement.getTextContent().getBytes();
+
+                if (WSTrustConstants.XMLDSig.MODULUS.equals(tag)) {
+                    rsa.setModulus(text);
+                } else if (WSTrustConstants.XMLDSig.EXPONENT.equals(tag)) {
+                    rsa.setExponent(text);
+                }
+            }
+        }
+
+        return rsa;
+    }
+
+    /**
+     * <p>
+     * Creates a {@code KeyValueType} that wraps the specified public key. This method supports DSA and RSA keys.
+     * </p>
+     *
+     * @param key the {@code PublicKey} that will be represented as a {@code KeyValueType}.
+     *
+     * @return the constructed {@code KeyValueType} or {@code null} if the specified key is neither a DSA nor a RSA
+     *         key.
+     */
+    public static KeyValueType createKeyValue(PublicKey key) {
+        if (key instanceof RSAPublicKey) {
+            RSAPublicKey pubKey = (RSAPublicKey) key;
+            byte[] modulus = pubKey.getModulus().toByteArray();
+            byte[] exponent = pubKey.getPublicExponent().toByteArray();
+
+            RSAKeyValueType rsaKeyValue = new RSAKeyValueType();
+            rsaKeyValue.setModulus(Base64.encodeBytes(modulus).getBytes());
+            rsaKeyValue.setExponent(Base64.encodeBytes(exponent).getBytes());
+            return rsaKeyValue;
+        } else if (key instanceof DSAPublicKey) {
+            DSAPublicKey pubKey = (DSAPublicKey) key;
+            byte[] P = pubKey.getParams().getP().toByteArray();
+            byte[] Q = pubKey.getParams().getQ().toByteArray();
+            byte[] G = pubKey.getParams().getG().toByteArray();
+            byte[] Y = pubKey.getY().toByteArray();
+
+            DSAKeyValueType dsaKeyValue = new DSAKeyValueType();
+            dsaKeyValue.setP(Base64.encodeBytes(P).getBytes());
+            dsaKeyValue.setQ(Base64.encodeBytes(Q).getBytes());
+            dsaKeyValue.setG(Base64.encodeBytes(G).getBytes());
+            dsaKeyValue.setY(Base64.encodeBytes(Y).getBytes());
+            return dsaKeyValue;
+        }
+        throw logger.unsupportedType(key.toString());
+    }
+
+    private static void signImpl(DOMSignContext dsc, String digestMethod, String signatureMethod, String referenceURI, PublicKey publicKey,
+                                 X509Certificate x509Certificate)
+            throws GeneralSecurityException, MarshalException, XMLSignatureException {
+        dsc.setDefaultNamespacePrefix("dsig");
+
+        DigestMethod digestMethodObj = fac.newDigestMethod(digestMethod, null);
+        Transform transform1 = fac.newTransform(Transform.ENVELOPED, (TransformParameterSpec) null);
+        Transform transform2 = fac.newTransform("http://www.w3.org/2001/10/xml-exc-c14n#", (TransformParameterSpec) null);
+
+        List<Transform> transformList = new ArrayList<Transform>();
+        transformList.add(transform1);
+        transformList.add(transform2);
+
+        Reference ref = fac.newReference(referenceURI, digestMethodObj, transformList, null, null);
+
+        CanonicalizationMethod canonicalizationMethod = fac.newCanonicalizationMethod(canonicalizationMethodType,
+                (C14NMethodParameterSpec) null);
+
+        List<Reference> referenceList = Collections.singletonList(ref);
+        SignatureMethod signatureMethodObj = fac.newSignatureMethod(signatureMethod, null);
+        SignedInfo si = fac.newSignedInfo(canonicalizationMethod, signatureMethodObj, referenceList);
+
+        KeyInfo ki = null;
+        if (includeKeyInfoInSignature) {
+            ki = createKeyInfo(publicKey, x509Certificate);
+        }
+        XMLSignature signature = fac.newXMLSignature(si, ki);
+
+        signature.sign(dsc);
+    }
+
+    private static KeyInfo createKeyInfo(PublicKey publicKey, X509Certificate x509Certificate) throws KeyException {
+        KeyInfoFactory keyInfoFactory = fac.getKeyInfoFactory();
+        KeyInfo keyInfo = null;
+        KeyValue keyValue = null;
+        //Just with public key
+        if (publicKey != null) {
+            keyValue = keyInfoFactory.newKeyValue(publicKey);
+            keyInfo = keyInfoFactory.newKeyInfo(Collections.singletonList(keyValue));
+        }
+        if (x509Certificate != null) {
+            List x509list = new ArrayList();
+
+            x509list.add(x509Certificate);
+            X509Data x509Data = keyInfoFactory.newX509Data(x509list);
+            List items = new ArrayList();
+
+            items.add(x509Data);
+            if (keyValue != null) {
+                items.add(keyValue);
+            }
+            keyInfo = keyInfoFactory.newKeyInfo(items);
+        }
+        return keyInfo;
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/PostBindingUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/PostBindingUtil.java
new file mode 100755
index 0000000000..3cf658aa60
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/PostBindingUtil.java
@@ -0,0 +1,94 @@
+/*
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2008, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
+ *
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
+ */
+package org.keycloak.saml.processing.web.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.util.Base64;
+
+import java.io.ByteArrayInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+
+/**
+ * Utility for the HTTP/Post binding
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since May 22, 2009
+ */
+public class PostBindingUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Apply base64 encoding on the message
+     *
+     * @param stringToEncode
+     *
+     * @return
+     */
+    public static String base64Encode(String stringToEncode) throws IOException {
+        return Base64.encodeBytes(stringToEncode.getBytes("UTF-8"), Base64.DONT_BREAK_LINES);
+    }
+
+    /**
+     * Apply base64 decoding on the message and return the byte array
+     *
+     * @param encodedString
+     *
+     * @return
+     */
+    public static byte[] base64Decode(String encodedString) {
+        if (encodedString == null)
+            throw logger.nullArgumentError("encodedString");
+
+        return Base64.decode(encodedString);
+    }
+
+    /**
+     * Apply base64 decoding on the message and return the stream
+     *
+     * @param encodedString
+     *
+     * @return
+     */
+    public static InputStream base64DecodeAsStream(String encodedString) {
+        if (encodedString == null)
+            throw logger.nullArgumentError("encodedString");
+
+        return new ByteArrayInputStream(base64Decode(encodedString));
+    }
+
+    public static String escapeHTML(String toEscape) {
+        StringBuilder escaped = new StringBuilder();
+
+        for (int i = 0; i < toEscape.length(); i++) {
+            char chr = toEscape.charAt(i);
+
+            if (chr != '"' && chr != '<' && chr != '>') {
+                escaped.append(chr);
+            }
+        }
+
+        return escaped.toString();
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingSignatureUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingSignatureUtil.java
new file mode 100755
index 0000000000..a9c376526e
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingSignatureUtil.java
@@ -0,0 +1,345 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.web.util;
+
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
+import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
+import org.keycloak.saml.processing.core.saml.v2.util.SignatureUtil;
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.w3c.dom.Document;
+import org.xml.sax.SAXException;
+
+import java.io.IOException;
+import java.io.StringWriter;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.security.GeneralSecurityException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
+import static org.keycloak.saml.common.util.StringUtil.isNotNull;
+
+/**
+ * Signature Support for the HTTP/Redirect binding
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 16, 2008
+ */
+public class RedirectBindingSignatureUtil {
+
+    private static final PicketLinkLogger logger = PicketLinkLoggerFactory.getLogger();
+
+    /**
+     * Get the URL for the SAML request that contains the signature and signature algorithm
+     *
+     * @param authRequest
+     * @param relayState
+     * @param signingKey
+     *
+     * @return
+     *
+     * @throws SAXException
+     * @throws IOException
+     * @throws GeneralSecurityException
+     */
+    public static String getSAMLRequestURLWithSignature(AuthnRequestType authRequest, String relayState, PrivateKey signingKey)
+            throws SAXException, IOException, GeneralSecurityException {
+        SAML2Request saml2Request = new SAML2Request();
+
+        // Deal with the original request
+        StringWriter sw = new StringWriter();
+
+        saml2Request.marshall(authRequest, sw);
+
+        // URL Encode the Request
+        String urlEncodedRequest = RedirectBindingUtil.deflateBase64URLEncode(sw.toString());
+
+        String urlEncodedRelayState = null;
+
+        if (isNotNull(relayState))
+            urlEncodedRelayState = URLEncoder.encode(relayState, "UTF-8");
+
+        byte[] sigValue = computeSignature(GeneralConstants.SAML_REQUEST_KEY, urlEncodedRequest, urlEncodedRelayState,
+                signingKey);
+
+        // Now construct the URL
+        return getRequestRedirectURLWithSignature(urlEncodedRequest, urlEncodedRelayState, sigValue, signingKey.getAlgorithm());
+    }
+
+    /**
+     * Get the URL for the SAML request that contains the signature and signature algorithm
+     *
+     * @param responseType
+     * @param relayState
+     * @param signingKey
+     *
+     * @return
+     *
+     * @throws IOException
+     * @throws GeneralSecurityException
+     */
+    public static String getSAMLResponseURLWithSignature(ResponseType responseType, String relayState, PrivateKey signingKey)
+            throws IOException, GeneralSecurityException {
+        SAML2Response saml2Response = new SAML2Response();
+
+        Document responseDoc = saml2Response.convert(responseType);
+
+        // URL Encode the Request
+        String responseString = DocumentUtil.getDocumentAsString(responseDoc);
+
+        String urlEncodedResponse = RedirectBindingUtil.deflateBase64URLEncode(responseString);
+
+        String urlEncodedRelayState = null;
+        if (isNotNull(relayState))
+            urlEncodedRelayState = URLEncoder.encode(relayState, "UTF-8");
+
+        byte[] sigValue = computeSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState,
+                signingKey);
+
+        // Now construct the URL
+        return getResponseRedirectURLWithSignature(urlEncodedResponse, urlEncodedRelayState, sigValue,
+                signingKey.getAlgorithm());
+    }
+
+    /**
+     * Given an url-encoded saml request and relay state and a private key, compute the url
+     *
+     * @param urlEncodedRequest
+     * @param urlEncodedRelayState
+     * @param signingKey
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     * @throws IOException
+     */
+    public static String getSAMLRequestURLWithSignature(String urlEncodedRequest, String urlEncodedRelayState,
+                                                        PrivateKey signingKey) throws IOException, GeneralSecurityException {
+        byte[] sigValue = computeSignature(GeneralConstants.SAML_REQUEST_KEY, urlEncodedRequest, urlEncodedRelayState,
+                signingKey);
+        return getRequestRedirectURLWithSignature(urlEncodedRequest, urlEncodedRelayState, sigValue, signingKey.getAlgorithm());
+    }
+
+    /**
+     * Given an url-encoded saml response and relay state and a private key, compute the url
+     *
+     * @param urlEncodedResponse
+     * @param urlEncodedRelayState
+     * @param signingKey
+     *
+     * @return
+     *
+     * @throws GeneralSecurityException
+     * @throws IOException
+     */
+    public static String getSAMLResponseURLWithSignature(String urlEncodedResponse, String urlEncodedRelayState,
+                                                         PrivateKey signingKey) throws IOException, GeneralSecurityException {
+        byte[] sigValue = computeSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState,
+                signingKey);
+        return getResponseRedirectURLWithSignature(urlEncodedResponse, urlEncodedRelayState, sigValue,
+                signingKey.getAlgorithm());
+    }
+
+    /**
+     * From the SAML Request URL, get the Request object
+     *
+     * @param signedURL
+     *
+     * @return
+     *
+     * @throws IOException
+     * @throws ParsingException
+     * @throws org.keycloak.saml.common.exceptions.ProcessingException
+     * @throws ConfigurationException
+     */
+    public static AuthnRequestType getRequestFromSignedURL(String signedURL) throws ConfigurationException,
+            ProcessingException, ParsingException, IOException {
+        String samlRequestTokenValue = getTokenValue(signedURL, GeneralConstants.SAML_REQUEST_KEY);
+
+        SAML2Request saml2Request = new SAML2Request();
+        return saml2Request.getAuthnRequestType(RedirectBindingUtil.urlBase64DeflateDecode(samlRequestTokenValue));
+    }
+
+    /**
+     * Get the signature value from the url
+     *
+     * @param signedURL
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static byte[] getSignatureValueFromSignedURL(String signedURL) throws IOException {
+        String sigValueTokenValue = getTokenValue(signedURL, GeneralConstants.SAML_SIGNATURE_REQUEST_KEY);
+        if (sigValueTokenValue == null)
+            throw new IllegalStateException(logger.samlHandlerSignatureNotPresentError());
+        return RedirectBindingUtil.urlBase64Decode(sigValueTokenValue);
+    }
+
+    /**
+     * From the query string that contains key/value pairs, get the value of a key <b>Note:</b> if the token is null, a
+     * null
+     * value is returned
+     *
+     * @param queryString
+     * @param token
+     *
+     * @return
+     */
+    public static String getTokenValue(String queryString, String token) {
+        return getTokenValue(getToken(queryString, token));
+    }
+
+    public static boolean validateSignature(String queryString, PublicKey validatingKey, byte[] sigValue)
+            throws UnsupportedEncodingException, GeneralSecurityException {
+        // Construct the url again
+        StringBuilder sb = new StringBuilder();
+
+        if (isRequestQueryString(queryString)) {
+            addParameter(sb, GeneralConstants.SAML_REQUEST_KEY,
+                    RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_REQUEST_KEY));
+        } else {
+            addParameter(sb, GeneralConstants.SAML_RESPONSE_KEY,
+                    RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_RESPONSE_KEY));
+        }
+
+        String relayStateFromURL = RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.RELAY_STATE);
+
+        if (isNotNull(relayStateFromURL)) {
+            addParameter(sb, GeneralConstants.RELAY_STATE, relayStateFromURL);
+        }
+
+        addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY,
+                RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY));
+
+        return SignatureUtil.validate(sb.toString().getBytes("UTF-8"), sigValue, validatingKey);
+    }
+
+    private static boolean isRequestQueryString(String queryString) {
+        return RedirectBindingSignatureUtil.getTokenValue(queryString, GeneralConstants.SAML_REQUEST_KEY) != null;
+    }
+
+    // ***************** Private Methods **************
+
+    private static byte[] computeSignature(String samlParameter, String urlEncoded, String urlEncodedRelayState,
+                                           PrivateKey signingKey) throws IOException, GeneralSecurityException {
+        StringBuilder sb = new StringBuilder();
+
+        addParameter(sb, samlParameter, urlEncoded);
+
+        if (isNotNull(urlEncodedRelayState)) {
+            addParameter(sb, GeneralConstants.RELAY_STATE, urlEncodedRelayState);
+        }
+
+        // SigAlg
+        String algo = signingKey.getAlgorithm();
+        String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(algo);
+
+        sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
+
+        addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, sigAlg);
+
+        byte[] sigValue = SignatureUtil.sign(sb.toString(), signingKey);
+
+        return sigValue;
+    }
+
+    private static String getRequestRedirectURLWithSignature(String urlEncodedRequest, String urlEncodedRelayState,
+                                                             byte[] signature, String sigAlgo) throws IOException {
+        return getRedirectURLWithSignature(GeneralConstants.SAML_REQUEST_KEY, urlEncodedRequest, urlEncodedRelayState,
+                signature, sigAlgo);
+    }
+
+    private static String getResponseRedirectURLWithSignature(String urlEncodedResponse, String urlEncodedRelayState,
+                                                              byte[] signature, String sigAlgo) throws IOException {
+        return getRedirectURLWithSignature(GeneralConstants.SAML_RESPONSE_KEY, urlEncodedResponse, urlEncodedRelayState,
+                signature, sigAlgo);
+    }
+
+    private static String getRedirectURLWithSignature(String samlParameter, String urlEncoded, String urlEncodedRelayState,
+                                                      byte[] signature, String sigAlgo) throws IOException {
+        StringBuilder sb = new StringBuilder();
+
+        addParameter(sb, samlParameter, urlEncoded);
+
+        if (isNotNull(urlEncodedRelayState)) {
+            addParameter(sb, GeneralConstants.RELAY_STATE, urlEncodedRelayState);
+        }
+
+        // SigAlg
+        String sigAlg = SignatureUtil.getXMLSignatureAlgorithmURI(sigAlgo);
+
+        sigAlg = URLEncoder.encode(sigAlg, "UTF-8");
+
+        addParameter(sb, GeneralConstants.SAML_SIG_ALG_REQUEST_KEY, sigAlg);
+
+        // Encode the signature value
+        String encodedSig = RedirectBindingUtil.base64URLEncode(signature);
+
+        addParameter(sb, GeneralConstants.SAML_SIGNATURE_REQUEST_KEY, encodedSig);
+
+        return sb.toString();
+    }
+
+    private static void addParameter(StringBuilder queryString, String paramName, String paramValue) {
+        String parameterSeparator = "&";
+
+        if (queryString.length() == 0) {
+            parameterSeparator = "";
+        }
+
+        queryString.append(parameterSeparator).append(paramName).append("=").append(paramValue);
+    }
+
+    private static String getToken(String queryString, String token) {
+        if (queryString == null)
+            throw logger.nullArgumentError("queryString");
+
+        token += "=";
+
+        int start = queryString.indexOf(token);
+        if (start < 0)
+            return null;
+
+        int end = queryString.indexOf("&", start);
+
+        if (end == -1)
+            return queryString.substring(start);
+
+        return queryString.substring(start, end);
+    }
+
+    private static String getTokenValue(String token) {
+        if (token == null)
+            return token;
+
+        int eq = token.indexOf('=');
+        if (eq == -1)
+            return token;
+        else
+            return token.substring(eq + 1);
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingUtil.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingUtil.java
new file mode 100755
index 0000000000..0e1c7f72b9
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/RedirectBindingUtil.java
@@ -0,0 +1,219 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.web.util;
+
+import org.keycloak.saml.common.util.Base64;
+import org.keycloak.saml.processing.api.util.DeflateUtil;
+import org.keycloak.saml.common.util.StringUtil;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.URLDecoder;
+import java.net.URLEncoder;
+
+/**
+ * Utility class for SAML HTTP/Redirect binding
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Jan 14, 2009
+ */
+public class RedirectBindingUtil {
+
+    /**
+     * URL encode the string
+     *
+     * @param str
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static String urlEncode(String str) throws IOException {
+        return URLEncoder.encode(str, "UTF-8");
+    }
+
+    /**
+     * URL decode the string
+     *
+     * @param str
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static String urlDecode(String str) throws IOException {
+        return URLDecoder.decode(str, "UTF-8");
+    }
+
+    /**
+     * On the byte array, apply base64 encoding following by URL encoding
+     *
+     * @param stringToEncode
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static String base64URLEncode(byte[] stringToEncode) throws IOException {
+        String base64Request = Base64.encodeBytes(stringToEncode, Base64.DONT_BREAK_LINES);
+        return urlEncode(base64Request);
+    }
+
+    /**
+     * On the byte array, apply URL decoding followed by base64 decoding
+     *
+     * @param encodedString
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static byte[] urlBase64Decode(String encodedString) throws IOException {
+        String decodedString = urlDecode(encodedString);
+        return Base64.decode(decodedString);
+    }
+
+    /**
+     * Apply deflate compression followed by base64 encoding and URL encoding
+     *
+     * @param stringToEncode
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static String deflateBase64URLEncode(String stringToEncode) throws IOException {
+        return deflateBase64URLEncode(stringToEncode.getBytes("UTF-8"));
+    }
+
+    /**
+     * Apply deflate compression followed by base64 encoding and URL encoding
+     *
+     * @param stringToEncode
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static String deflateBase64URLEncode(byte[] stringToEncode) throws IOException {
+        byte[] deflatedMsg = DeflateUtil.encode(stringToEncode);
+        return base64URLEncode(deflatedMsg);
+    }
+
+    /**
+     * Apply deflate compression followed by base64 encoding
+     *
+     * @param stringToEncode
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static String deflateBase64Encode(byte[] stringToEncode) throws IOException {
+        byte[] deflatedMsg = DeflateUtil.encode(stringToEncode);
+        return Base64.encodeBytes(deflatedMsg);
+    }
+
+    /**
+     * Apply URL decoding, followed by base64 decoding followed by deflate decompression
+     *
+     * @param encodedString
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static InputStream urlBase64DeflateDecode(String encodedString) throws IOException {
+        byte[] deflatedString = urlBase64Decode(encodedString);
+        return DeflateUtil.decode(deflatedString);
+    }
+
+    /**
+     * Base64 decode followed by Deflate decoding
+     *
+     * @param encodedString
+     *
+     * @return
+     */
+    public static InputStream base64DeflateDecode(String encodedString) {
+        byte[] base64decodedMsg = Base64.decode(encodedString);
+        return DeflateUtil.decode(base64decodedMsg);
+    }
+
+    /**
+     * Get the Query String for the destination url
+     *
+     * @param urlEncodedRequest
+     * @param urlEncodedRelayState
+     * @param sendRequest either going to be saml request or response
+     *
+     * @return
+     */
+    public static String getDestinationQueryString(String urlEncodedRequest, String urlEncodedRelayState, boolean sendRequest) {
+        StringBuilder sb = new StringBuilder();
+        if (sendRequest)
+            sb.append("SAMLRequest=").append(urlEncodedRequest);
+        else
+            sb.append("SAMLResponse=").append(urlEncodedRequest);
+        if (StringUtil.isNotNull(urlEncodedRelayState))
+            sb.append("&RelayState=").append(urlEncodedRelayState);
+        return sb.toString();
+    }
+
+    /**
+     * Get the destination url
+     *
+     * @param holder
+     *
+     * @return
+     *
+     * @throws IOException
+     */
+    public static String getDestinationURL(RedirectBindingUtilDestHolder holder) throws IOException {
+        String destination = holder.destination;
+        StringBuilder destinationURL = new StringBuilder(destination);
+
+        if (destination.contains("?"))
+            destinationURL.append("&");
+        else
+            destinationURL.append("?");
+
+        destinationURL.append(holder.destinationQueryString);
+
+        return destinationURL.toString();
+    }
+
+    /**
+     * A Destination holder that holds the destination host url and the destination query string
+     */
+    public static class RedirectBindingUtilDestHolder {
+
+        private String destination;
+        private String destinationQueryString;
+
+        public RedirectBindingUtilDestHolder setDestinationQueryString(String dest) {
+            destinationQueryString = dest;
+            return this;
+        }
+
+        public RedirectBindingUtilDestHolder setDestination(String dest) {
+            destination = dest;
+            return this;
+        }
+    }
+}
\ No newline at end of file
diff --git a/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/SecurityActions.java b/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/SecurityActions.java
new file mode 100755
index 0000000000..a5411c9fa0
--- /dev/null
+++ b/saml/saml-core/src/main/java/org/keycloak/saml/processing/web/util/SecurityActions.java
@@ -0,0 +1,125 @@
+/*
+ * JBoss, Home of Professional Open Source
+ *
+ * Copyright 2013 Red Hat, Inc. and/or its affiliates.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.keycloak.saml.processing.web.util;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+/**
+ * Privileged Blocks
+ *
+ * @author Anil.Saldhana@redhat.com
+ * @since Dec 9, 2008
+ */
+class SecurityActions {
+
+    /**
+     * <p>
+     * Loads a {@link Class} using the <code>fullQualifiedName</code> supplied. This method tries first to load from
+     * the
+     * specified {@link Class}, if not found it will try to load from using TCL.
+     * </p>
+     *
+     * @param theClass
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final Class<?> theClass, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    ClassLoader classLoader = theClass.getClassLoader();
+
+                    Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+                    if (clazz == null) {
+                        classLoader = Thread.currentThread().getContextClassLoader();
+                        clazz = loadClass(classLoader, fullQualifiedName);
+                    }
+                    return clazz;
+                }
+            });
+        } else {
+            ClassLoader classLoader = theClass.getClassLoader();
+
+            Class<?> clazz = loadClass(classLoader, fullQualifiedName);
+            if (clazz == null) {
+                classLoader = Thread.currentThread().getContextClassLoader();
+                clazz = loadClass(classLoader, fullQualifiedName);
+            }
+            return clazz;
+        }
+    }
+
+    /**
+     * <p>
+     * Loads a class from the specified {@link ClassLoader} using the <code>fullQualifiedName</code> supplied.
+     * </p>
+     *
+     * @param classLoader
+     * @param fullQualifiedName
+     *
+     * @return
+     */
+    static Class<?> loadClass(final ClassLoader classLoader, final String fullQualifiedName) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<Class<?>>() {
+                public Class<?> run() {
+                    try {
+                        return classLoader.loadClass(fullQualifiedName);
+                    } catch (ClassNotFoundException e) {
+                    }
+                    return null;
+                }
+            });
+        } else {
+            try {
+                return classLoader.loadClass(fullQualifiedName);
+            } catch (ClassNotFoundException e) {
+            }
+            return null;
+        }
+    }
+
+    /**
+     * <p>Returns a system property value using the specified <code>key</code>. If not found the
+     * <code>defaultValue</code> will be returned.</p>
+     *
+     * @param key
+     * @param defaultValue
+     *
+     * @return
+     */
+    static String getSystemProperty(final String key, final String defaultValue) {
+        SecurityManager sm = System.getSecurityManager();
+
+        if (sm != null) {
+            return AccessController.doPrivileged(new PrivilegedAction<String>() {
+                public String run() {
+                    return System.getProperty(key, defaultValue);
+                }
+            });
+        } else {
+            return System.getProperty(key, defaultValue);
+        }
+    }
+}
diff --git a/saml/saml-protocol/pom.xml b/saml/saml-protocol/pom.xml
index d4a51eb436..511f48dec0 100755
--- a/saml/saml-protocol/pom.xml
+++ b/saml/saml-protocol/pom.xml
@@ -18,6 +18,12 @@
         <maven.build.timestamp.format>yyyy-MM-dd HH:mm</maven.build.timestamp.format>
     </properties>
     <dependencies>
+        <dependency>
+            <groupId>org.keycloak</groupId>
+            <artifactId>keycloak-saml-core</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
         <dependency>
             <groupId>org.jboss.resteasy</groupId>
             <artifactId>resteasy-multipart-provider</artifactId>
@@ -95,11 +101,13 @@
                 </exclusion>
             </exclusions>
         </dependency>
+        <!--
         <dependency>
             <groupId>org.picketlink</groupId>
             <artifactId>picketlink-federation</artifactId>
             <scope>provided</scope>
         </dependency>
+        -->
         <dependency>
             <groupId>org.jboss.resteasy</groupId>
             <artifactId>jaxrs-api</artifactId>
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/EntityDescriptorImporterService.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/EntityDescriptorImporterService.java
index 39d6f37305..68a7412eee 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/EntityDescriptorImporterService.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/EntityDescriptorImporterService.java
@@ -6,19 +6,19 @@ import org.keycloak.models.ApplicationModel;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 import org.keycloak.services.resources.admin.RealmAuth;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.common.exceptions.ParsingException;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.identity.federation.core.parsers.saml.SAMLParser;
-import org.picketlink.identity.federation.core.saml.v2.util.SAMLMetadataUtil;
-import org.picketlink.identity.federation.core.util.CoreConfigUtil;
-import org.picketlink.identity.federation.saml.v2.metadata.EndpointType;
-import org.picketlink.identity.federation.saml.v2.metadata.EntitiesDescriptorType;
-import org.picketlink.identity.federation.saml.v2.metadata.EntityDescriptorType;
-import org.picketlink.identity.federation.saml.v2.metadata.KeyDescriptorType;
-import org.picketlink.identity.federation.saml.v2.metadata.KeyTypes;
-import org.picketlink.identity.federation.saml.v2.metadata.SPSSODescriptorType;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.core.parsers.saml.SAMLParser;
+import org.keycloak.saml.processing.core.saml.v2.util.SAMLMetadataUtil;
+import org.keycloak.saml.processing.core.util.CoreConfigUtil;
+import org.keycloak.dom.saml.v2.metadata.EndpointType;
+import org.keycloak.dom.saml.v2.metadata.EntitiesDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.EntityDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.KeyDescriptorType;
+import org.keycloak.dom.saml.v2.metadata.KeyTypes;
+import org.keycloak.dom.saml.v2.metadata.SPSSODescriptorType;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.POST;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2AuthnRequestBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2AuthnRequestBuilder.java
old mode 100644
new mode 100755
index 4dedd018fc..353ef43482
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2AuthnRequestBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2AuthnRequestBuilder.java
@@ -17,12 +17,12 @@
  */
 package org.keycloak.protocol.saml;
 
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
-import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
-import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
-import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
-import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
+import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
 import org.w3c.dom.Document;
 
 import java.net.URI;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java
index e5596f646b..8143d1540e 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder.java
@@ -1,17 +1,16 @@
 package org.keycloak.protocol.saml;
 
 import org.jboss.logging.Logger;
-import org.picketlink.common.constants.GeneralConstants;
-import org.picketlink.common.constants.JBossSAMLConstants;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.common.util.DocumentUtil;
-import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
-import org.picketlink.identity.federation.core.util.XMLEncryptionUtil;
-import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
-import org.picketlink.identity.federation.web.util.PostBindingUtil;
-import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
+import org.keycloak.saml.processing.core.saml.v2.util.DocumentUtil;
+import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
+import org.keycloak.saml.processing.web.util.PostBindingUtil;
+import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
@@ -32,7 +31,7 @@ import java.security.Signature;
 import java.security.cert.X509Certificate;
 
 import static org.keycloak.util.HtmlUtils.escapeAttribute;
-import static org.picketlink.common.util.StringUtil.isNotNull;
+import static org.keycloak.saml.common.util.StringUtil.isNotNull;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -136,7 +135,7 @@ public class SAML2BindingBuilder<T extends SAML2BindingBuilder> {
         }
 
         public String encoded() throws ProcessingException, ConfigurationException, IOException {
-            byte[] responseBytes = org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil.getDocumentAsString(document).getBytes("UTF-8");
+            byte[] responseBytes = DocumentUtil.getDocumentAsString(document).getBytes("UTF-8");
             return PostBindingUtil.base64Encode(new String(responseBytes));
         }
         public Document getDocument() {
@@ -226,7 +225,7 @@ public class SAML2BindingBuilder<T extends SAML2BindingBuilder> {
             QName encryptedAssertionElementQName = new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(),
                     JBossSAMLConstants.ENCRYPTED_ASSERTION.get(), samlNSPrefix);
 
-            byte[] secret = WSTrustUtil.createRandomSecret(encryptionKeySize / 8);
+            byte[] secret = SamlProtocolUtils.createRandomSecret(encryptionKeySize / 8);
             SecretKey secretKey = new SecretKeySpec(secret, encryptionAlgorithm);
 
             // encrypt the Assertion element and replace it with a EncryptedAssertion element.
@@ -264,13 +263,13 @@ public class SAML2BindingBuilder<T extends SAML2BindingBuilder> {
     }
 
     protected void signAssertion(Document samlDocument) throws ProcessingException {
-        Element originalAssertionElement = DocumentUtil.getChildElement(samlDocument.getDocumentElement(), new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
+        Element originalAssertionElement = org.keycloak.saml.common.util.DocumentUtil.getChildElement(samlDocument.getDocumentElement(), new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
         if (originalAssertionElement == null) return;
         Node clonedAssertionElement = originalAssertionElement.cloneNode(true);
         Document temporaryDocument;
 
         try {
-            temporaryDocument = DocumentUtil.createDocument();
+            temporaryDocument = org.keycloak.saml.common.util.DocumentUtil.createDocument();
         } catch (ConfigurationException e) {
             throw new ProcessingException(e);
         }
@@ -299,7 +298,7 @@ public class SAML2BindingBuilder<T extends SAML2BindingBuilder> {
     }
 
     protected String buildHtmlPostResponse(Document responseDoc, String actionUrl, boolean asRequest) throws ProcessingException, ConfigurationException, IOException {
-        byte[] responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
+        byte[] responseBytes = org.keycloak.saml.common.util.DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
         String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes));
 
         return buildHtml(samlResponse, actionUrl, asRequest);
@@ -343,7 +342,7 @@ public class SAML2BindingBuilder<T extends SAML2BindingBuilder> {
     }
 
     protected String base64Encoded(Document document) throws ConfigurationException, ProcessingException, IOException  {
-        String documentAsString = org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil.getDocumentAsString(document);
+        String documentAsString = DocumentUtil.getDocumentAsString(document);
         logger.debugv("saml docment: {0}", documentAsString);
         byte[] responseBytes = documentAsString.getBytes("UTF-8");
 
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder2.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder2.java
index d5cc00d735..79506dfcbc 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder2.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2BindingBuilder2.java
@@ -1,17 +1,16 @@
 package org.keycloak.protocol.saml;
 
 import org.jboss.logging.Logger;
-import org.picketlink.common.constants.GeneralConstants;
-import org.picketlink.common.constants.JBossSAMLConstants;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.common.util.DocumentUtil;
-import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
-import org.picketlink.identity.federation.core.util.XMLEncryptionUtil;
-import org.picketlink.identity.federation.core.wstrust.WSTrustUtil;
-import org.picketlink.identity.federation.web.util.PostBindingUtil;
-import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.constants.JBossSAMLConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
+import org.keycloak.saml.processing.core.saml.v2.util.DocumentUtil;
+import org.keycloak.saml.processing.core.util.XMLEncryptionUtil;
+import org.keycloak.saml.processing.web.util.PostBindingUtil;
+import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
@@ -32,7 +31,7 @@ import java.security.Signature;
 import java.security.cert.X509Certificate;
 
 import static org.keycloak.util.HtmlUtils.escapeAttribute;
-import static org.picketlink.common.util.StringUtil.isNotNull;
+import static org.keycloak.saml.common.util.StringUtil.isNotNull;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
@@ -125,7 +124,7 @@ public class SAML2BindingBuilder2<T extends SAML2BindingBuilder2> {
         }
 
         public String encoded() throws ProcessingException, ConfigurationException, IOException {
-            byte[] responseBytes = org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil.getDocumentAsString(document).getBytes("UTF-8");
+            byte[] responseBytes = DocumentUtil.getDocumentAsString(document).getBytes("UTF-8");
             return PostBindingUtil.base64Encode(new String(responseBytes));
         }
         public Document getDocument() {
@@ -204,7 +203,7 @@ public class SAML2BindingBuilder2<T extends SAML2BindingBuilder2> {
             QName encryptedAssertionElementQName = new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(),
                     JBossSAMLConstants.ENCRYPTED_ASSERTION.get(), samlNSPrefix);
 
-            byte[] secret = WSTrustUtil.createRandomSecret(encryptionKeySize / 8);
+            byte[] secret = SamlProtocolUtils.createRandomSecret(encryptionKeySize / 8);
             SecretKey secretKey = new SecretKeySpec(secret, encryptionAlgorithm);
 
             // encrypt the Assertion element and replace it with a EncryptedAssertion element.
@@ -242,13 +241,13 @@ public class SAML2BindingBuilder2<T extends SAML2BindingBuilder2> {
     }
 
     protected void signAssertion(Document samlDocument) throws ProcessingException {
-        Element originalAssertionElement = DocumentUtil.getChildElement(samlDocument.getDocumentElement(), new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
+        Element originalAssertionElement = org.keycloak.saml.common.util.DocumentUtil.getChildElement(samlDocument.getDocumentElement(), new QName(JBossSAMLURIConstants.ASSERTION_NSURI.get(), JBossSAMLConstants.ASSERTION.get()));
         if (originalAssertionElement == null) return;
         Node clonedAssertionElement = originalAssertionElement.cloneNode(true);
         Document temporaryDocument;
 
         try {
-            temporaryDocument = DocumentUtil.createDocument();
+            temporaryDocument = org.keycloak.saml.common.util.DocumentUtil.createDocument();
         } catch (ConfigurationException e) {
             throw new ProcessingException(e);
         }
@@ -277,7 +276,7 @@ public class SAML2BindingBuilder2<T extends SAML2BindingBuilder2> {
     }
 
     protected String buildHtmlPostResponse(Document responseDoc, String actionUrl, boolean asRequest) throws ProcessingException, ConfigurationException, IOException {
-        byte[] responseBytes = DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
+        byte[] responseBytes = org.keycloak.saml.common.util.DocumentUtil.getDocumentAsString(responseDoc).getBytes("UTF-8");
         String samlResponse = PostBindingUtil.base64Encode(new String(responseBytes));
 
         return buildHtml(samlResponse, actionUrl, asRequest);
@@ -317,7 +316,7 @@ public class SAML2BindingBuilder2<T extends SAML2BindingBuilder2> {
     }
 
     protected String base64Encoded(Document document) throws ConfigurationException, ProcessingException, IOException  {
-        String documentAsString = org.picketlink.identity.federation.core.saml.v2.util.DocumentUtil.getDocumentAsString(document);
+        String documentAsString = DocumentUtil.getDocumentAsString(document);
         logger.debugv("saml docment: {0}", documentAsString);
         byte[] responseBytes = documentAsString.getBytes("UTF-8");
 
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2ErrorResponseBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2ErrorResponseBuilder.java
index 7059d68ef7..e35c537fef 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2ErrorResponseBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2ErrorResponseBuilder.java
@@ -1,15 +1,15 @@
 package org.keycloak.protocol.saml;
 
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
-import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
-import org.picketlink.identity.federation.core.saml.v2.factories.JBossSAMLAuthnResponseFactory;
-import org.picketlink.identity.federation.core.saml.v2.holders.IDPInfoHolder;
-import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
-import org.picketlink.identity.federation.core.saml.v2.holders.SPInfoHolder;
-import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
+import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
+import org.keycloak.saml.processing.core.saml.v2.factories.JBossSAMLAuthnResponseFactory;
+import org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
 import org.w3c.dom.Document;
 
 /**
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
old mode 100644
new mode 100755
index d50698f4f9..bc0bb2638f
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LoginResponseBuilder.java
@@ -1,26 +1,26 @@
 package org.keycloak.protocol.saml;
 
-import org.picketlink.common.PicketLinkLogger;
-import org.picketlink.common.PicketLinkLoggerFactory;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.common.util.DocumentUtil;
-import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
-import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
-import org.picketlink.identity.federation.core.saml.v2.holders.IDPInfoHolder;
-import org.picketlink.identity.federation.core.saml.v2.holders.IssuerInfoHolder;
-import org.picketlink.identity.federation.core.saml.v2.holders.SPInfoHolder;
-import org.picketlink.identity.federation.core.saml.v2.util.StatementUtil;
-import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
-import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
-import org.picketlink.identity.federation.saml.v2.assertion.AuthnStatementType;
-import org.picketlink.identity.federation.saml.v2.assertion.ConditionsType;
-import org.picketlink.identity.federation.saml.v2.assertion.SubjectConfirmationDataType;
-import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.common.util.DocumentUtil;
+import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
+import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
+import org.keycloak.saml.processing.core.saml.v2.holders.IDPInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.holders.IssuerInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.holders.SPInfoHolder;
+import org.keycloak.saml.processing.core.saml.v2.util.StatementUtil;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AuthnStatementType;
+import org.keycloak.dom.saml.v2.assertion.ConditionsType;
+import org.keycloak.dom.saml.v2.assertion.SubjectConfirmationDataType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
 import org.w3c.dom.Document;
 
-import static org.picketlink.common.util.StringUtil.isNotNull;
+import static org.keycloak.saml.common.util.StringUtil.isNotNull;
 
 /**
  * <p> Handles for dealing with SAML2 Authentication </p>
@@ -81,7 +81,7 @@ public class SAML2LoginResponseBuilder {
      * @return
      */
     public SAML2LoginResponseBuilder assertionExpiration(int assertionExpiration) {
-        this.assertionExpiration = subjectExpiration;
+        this.assertionExpiration = assertionExpiration;
         return this;
     }
 
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LogoutRequestBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LogoutRequestBuilder.java
index 5cf301fc0e..9cbfa44b9f 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LogoutRequestBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LogoutRequestBuilder.java
@@ -1,13 +1,12 @@
 package org.keycloak.protocol.saml;
 
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.common.exceptions.ParsingException;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
-import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
-import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
-import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
-import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
 import org.w3c.dom.Document;
 
 import java.net.URI;
@@ -20,6 +19,20 @@ public class SAML2LogoutRequestBuilder extends SAML2BindingBuilder<SAML2LogoutRe
     protected String userPrincipal;
     protected String userPrincipalFormat;
     protected String sessionIndex;
+    protected long assertionExpiration;
+
+    /**
+     * Length of time in seconds the assertion is valid for
+     * See SAML core specification 2.5.1.2 NotOnOrAfter
+     *
+     * @param assertionExpiration Number of seconds the assertion should be valid
+     * @return
+     */
+    public SAML2LogoutRequestBuilder assertionExpiration(int assertionExpiration) {
+        this.assertionExpiration = assertionExpiration;
+        return this;
+    }
+
 
     public SAML2LogoutRequestBuilder userPrincipal(String nameID, String nameIDformat) {
         this.userPrincipal = nameID;
@@ -66,9 +79,8 @@ public class SAML2LogoutRequestBuilder extends SAML2BindingBuilder<SAML2LogoutRe
         }
         if (sessionIndex != null) lort.addSessionIndex(sessionIndex);
 
-        long assertionValidity = PicketLinkCoreSTS.instance().getConfiguration().getIssuedTokenTimeout();
 
-        lort.setNotOnOrAfter(XMLTimeUtil.add(lort.getIssueInstant(), assertionValidity));
+        if (assertionExpiration > 0) lort.setNotOnOrAfter(XMLTimeUtil.add(lort.getIssueInstant(), assertionExpiration * 1000));
         lort.setDestination(URI.create(destination));
         return lort;
     }
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LogoutResponseBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LogoutResponseBuilder.java
index c9c63b23eb..f172910f6c 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LogoutResponseBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2LogoutResponseBuilder.java
@@ -1,16 +1,16 @@
 package org.keycloak.protocol.saml;
 
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.common.exceptions.ParsingException;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
-import org.picketlink.identity.federation.core.saml.v2.common.IDGenerator;
-import org.picketlink.identity.federation.core.saml.v2.util.XMLTimeUtil;
-import org.picketlink.identity.federation.saml.v2.assertion.NameIDType;
-import org.picketlink.identity.federation.saml.v2.protocol.StatusCodeType;
-import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
-import org.picketlink.identity.federation.saml.v2.protocol.StatusType;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
+import org.keycloak.saml.processing.core.saml.v2.common.IDGenerator;
+import org.keycloak.saml.processing.core.saml.v2.util.XMLTimeUtil;
+import org.keycloak.dom.saml.v2.assertion.NameIDType;
+import org.keycloak.dom.saml.v2.protocol.StatusCodeType;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
+import org.keycloak.dom.saml.v2.protocol.StatusType;
 import org.w3c.dom.Document;
 
 import java.net.URI;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2NameIDPolicyBuilder.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2NameIDPolicyBuilder.java
old mode 100644
new mode 100755
index 71f4186beb..cc395cbf9b
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2NameIDPolicyBuilder.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAML2NameIDPolicyBuilder.java
@@ -17,7 +17,7 @@
  */
 package org.keycloak.protocol.saml;
 
-import org.picketlink.identity.federation.saml.v2.protocol.NameIDPolicyType;
+import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
 
 import java.net.URI;
 
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAMLRequestParser.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAMLRequestParser.java
index a66397f692..f4cfd77ed0 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAMLRequestParser.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SAMLRequestParser.java
@@ -1,12 +1,12 @@
 package org.keycloak.protocol.saml;
 
-import org.picketlink.common.PicketLinkLogger;
-import org.picketlink.common.PicketLinkLoggerFactory;
-import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
-import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
-import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
-import org.picketlink.identity.federation.web.util.PostBindingUtil;
-import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.keycloak.saml.common.PicketLinkLogger;
+import org.keycloak.saml.common.PicketLinkLoggerFactory;
+import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
+import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
+import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
+import org.keycloak.saml.processing.web.util.PostBindingUtil;
+import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
 
 import java.io.ByteArrayInputStream;
 import java.io.InputStream;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
index dc2caa8509..3c3ada6fcf 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocol.java
@@ -24,15 +24,14 @@ import org.keycloak.services.messages.Messages;
 import org.keycloak.services.resources.RealmsResource;
 import org.keycloak.services.resources.admin.ClientAttributeCertificateResource;
 import org.keycloak.services.resources.flows.Flows;
-import org.picketlink.common.constants.GeneralConstants;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.common.exceptions.ConfigurationException;
-import org.picketlink.common.exceptions.ParsingException;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
-import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
-import org.picketlink.identity.federation.web.handlers.saml2.SAML2LogOutHandler;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.common.exceptions.ConfigurationException;
+import org.keycloak.saml.common.exceptions.ParsingException;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
 import org.w3c.dom.Document;
 
 import javax.ws.rs.core.HttpHeaders;
@@ -526,7 +525,7 @@ public class SamlProtocol implements LoginProtocol {
         try {
             ClientRequest request = executor.createRequest(logoutUrl);
             request.formParameter(GeneralConstants.SAML_REQUEST_KEY, logoutRequestString);
-            request.formParameter(SAML2LogOutHandler.BACK_CHANNEL_LOGOUT, SAML2LogOutHandler.BACK_CHANNEL_LOGOUT);
+            request.formParameter("BACK_CHANNEL_LOGOUT", "BACK_CHANNEL_LOGOUT"); // for Picketlink adapter, todo remove this
             ClientResponse response = null;
             try {
                 response = request.post();
@@ -538,7 +537,7 @@ public class SamlProtocol implements LoginProtocol {
                     if (withSlash.equals(redirect)) {
                         request = executor.createRequest(withSlash);
                         request.formParameter(GeneralConstants.SAML_REQUEST_KEY, logoutRequestString);
-                        request.formParameter(SAML2LogOutHandler.BACK_CHANNEL_LOGOUT, SAML2LogOutHandler.BACK_CHANNEL_LOGOUT);
+                        request.formParameter("BACK_CHANNEL_LOGOUT", "BACK_CHANNEL_LOGOUT"); // for Picketlink adapter, todo remove this
                         response = request.post();
                         response.releaseConnection();
                     }
@@ -556,6 +555,7 @@ public class SamlProtocol implements LoginProtocol {
     protected SAML2LogoutRequestBuilder createLogoutRequest(String logoutUrl, ClientSessionModel clientSession, ClientModel client) {
         // build userPrincipal with subject used at login
         SAML2LogoutRequestBuilder logoutBuilder = new SAML2LogoutRequestBuilder()
+                                         .assertionExpiration(realm.getAccessCodeLifespan())
                                          .issuer(getResponseIssuer(realm))
                                          .userPrincipal(clientSession.getNote(SAML_NAME_ID), clientSession.getNote(SAML_NAME_ID_FORMAT))
                                          .destination(logoutUrl);
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolFactory.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolFactory.java
index 2387e1cd12..4c74ab5910 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolFactory.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolFactory.java
@@ -12,9 +12,8 @@ import org.keycloak.protocol.saml.mappers.AttributeStatementHelper;
 import org.keycloak.protocol.saml.mappers.RoleListMapper;
 import org.keycloak.protocol.saml.mappers.UserPropertyAttributeStatementMapper;
 import org.keycloak.services.managers.AuthenticationManager;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.identity.federation.core.saml.v2.constants.X500SAMLProfileConstants;
-import org.picketlink.identity.federation.core.sts.PicketLinkCoreSTS;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants;
 
 import java.util.ArrayList;
 import java.util.List;
@@ -37,8 +36,8 @@ public class SamlProtocolFactory extends AbstractLoginProtocolFactory {
 
     @Override
     public void init(Config.Scope config) {
-        PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
-        sts.installDefaultConfiguration();
+        //PicketLinkCoreSTS sts = PicketLinkCoreSTS.instance();
+        //sts.installDefaultConfiguration();
     }
 
     @Override
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java
index 0e8c3c2113..6a4c313dc7 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlProtocolUtils.java
@@ -3,16 +3,17 @@ package org.keycloak.protocol.saml;
 import org.keycloak.VerificationException;
 import org.keycloak.models.ClientModel;
 import org.keycloak.util.PemUtils;
-import org.picketlink.common.constants.GeneralConstants;
-import org.picketlink.common.exceptions.ProcessingException;
-import org.picketlink.identity.federation.api.saml.v2.sig.SAML2Signature;
-import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.exceptions.ProcessingException;
+import org.keycloak.saml.processing.api.saml.v2.sig.SAML2Signature;
+import org.keycloak.saml.processing.web.util.RedirectBindingUtil;
 import org.w3c.dom.Document;
 
 import javax.ws.rs.core.MultivaluedMap;
 import javax.ws.rs.core.UriBuilder;
 import javax.ws.rs.core.UriInfo;
 import java.security.PublicKey;
+import java.security.SecureRandom;
 import java.security.Signature;
 import java.security.cert.Certificate;
 
@@ -22,6 +23,23 @@ import java.security.cert.Certificate;
  */
 public class SamlProtocolUtils {
 
+    /**
+     * <p>
+     * Creates a random {@code byte[]} secret of the specified size.
+     * </p>
+     *
+     * @param size the size of the secret to be created, in bytes.
+     *
+     * @return a {@code byte[]} containing the generated secret.
+     */
+    public static byte[] createRandomSecret(final int size) {
+        SecureRandom random = new SecureRandom();
+        byte[] secret = new byte[size];
+        random.nextBytes(secret);
+        return secret;
+    }
+
+
     public static void verifyDocumentSignature(ClientModel client, Document document) throws VerificationException {
         if (!"true".equals(client.getAttribute(SamlProtocol.SAML_CLIENT_SIGNATURE_ATTRIBUTE))) {
             return;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java
index 3aa016cb11..b6dfebb36e 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/SamlService.java
@@ -18,7 +18,6 @@ import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.RealmModel;
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
-import org.keycloak.protocol.oidc.OIDCLoginProtocolService;
 import org.keycloak.protocol.oidc.utils.RedirectUtils;
 import org.keycloak.services.managers.AuthenticationManager;
 import org.keycloak.services.managers.ClientSessionCode;
@@ -27,17 +26,15 @@ import org.keycloak.services.messages.Messages;
 import org.keycloak.services.resources.RealmsResource;
 import org.keycloak.services.resources.flows.Flows;
 import org.keycloak.util.StreamUtil;
-import org.picketlink.common.constants.GeneralConstants;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.identity.federation.core.saml.v2.common.SAMLDocumentHolder;
-import org.picketlink.identity.federation.saml.v2.SAML2Object;
-import org.picketlink.identity.federation.saml.v2.protocol.AuthnRequestType;
-import org.picketlink.identity.federation.saml.v2.protocol.LogoutRequestType;
-import org.picketlink.identity.federation.saml.v2.protocol.NameIDPolicyType;
-import org.picketlink.identity.federation.saml.v2.protocol.RequestAbstractType;
-import org.picketlink.identity.federation.saml.v2.protocol.StatusResponseType;
-import org.picketlink.identity.federation.web.util.PostBindingUtil;
-import org.picketlink.identity.federation.web.util.RedirectBindingUtil;
+import org.keycloak.saml.common.constants.GeneralConstants;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
+import org.keycloak.dom.saml.v2.SAML2Object;
+import org.keycloak.dom.saml.v2.protocol.AuthnRequestType;
+import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
+import org.keycloak.dom.saml.v2.protocol.NameIDPolicyType;
+import org.keycloak.dom.saml.v2.protocol.RequestAbstractType;
+import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
 
 import javax.ws.rs.Consumes;
 import javax.ws.rs.FormParam;
@@ -58,7 +55,6 @@ import javax.ws.rs.ext.Providers;
 import java.io.InputStream;
 import java.net.URI;
 import java.security.PublicKey;
-import java.security.Signature;
 
 /**
  * Resource class for the oauth/openid connect token service
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/AttributeStatementHelper.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/AttributeStatementHelper.java
index 06b299ad49..11e27dc20d 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/AttributeStatementHelper.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/AttributeStatementHelper.java
@@ -4,9 +4,9 @@ import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.protocol.ProtocolMapper;
 import org.keycloak.protocol.ProtocolMapperUtils;
 import org.keycloak.protocol.saml.SamlProtocol;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
 
 import java.util.ArrayList;
 import java.util.HashMap;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java
index 455375e3f0..5ec2589535 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedAttributeMapper.java
@@ -3,10 +3,8 @@ package org.keycloak.protocol.saml.mappers;
 import org.keycloak.models.ClientSessionModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ProtocolMapperModel;
-import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
-import org.keycloak.protocol.ProtocolMapperUtils;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
 
 import java.util.ArrayList;
 import java.util.List;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedRole.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedRole.java
index 862a0ca28e..15a6d8b021 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedRole.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/HardcodedRole.java
@@ -1,12 +1,7 @@
 package org.keycloak.protocol.saml.mappers;
 
-import org.keycloak.models.ClientSessionModel;
-import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ProtocolMapperModel;
-import org.keycloak.models.UserSessionModel;
-import org.keycloak.protocol.ProtocolMapperUtils;
 import org.keycloak.protocol.saml.SamlProtocol;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
 
 import java.util.ArrayList;
 import java.util.HashMap;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java
index 68188cf80f..eb0e3549b2 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/RoleListMapper.java
@@ -7,10 +7,9 @@ import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.protocol.ProtocolMapper;
-import org.keycloak.protocol.ProtocolMapperUtils;
 import org.keycloak.protocol.saml.SamlProtocol;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
 
 import java.util.ArrayList;
 import java.util.HashMap;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java
index 5b1a3da3d4..4a7dbfb119 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLAttributeStatementMapper.java
@@ -4,7 +4,7 @@ import org.keycloak.models.ClientSessionModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserSessionModel;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java
index d9725e8a2d..5f17893b68 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLLoginResponseMapper.java
@@ -4,7 +4,7 @@ import org.keycloak.models.ClientSessionModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserSessionModel;
-import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java
index b2d500fa67..160b3acfb9 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/SAMLRoleListMapper.java
@@ -4,7 +4,7 @@ import org.keycloak.models.ClientSessionModel;
 import org.keycloak.models.KeycloakSession;
 import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserSessionModel;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
 
 /**
  * @author <a href="mailto:bill@burkecentral.com">Bill Burke</a>
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java
index fd83512334..a31b5a406f 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/UserAttributeStatementMapper.java
@@ -6,7 +6,7 @@ import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.protocol.ProtocolMapperUtils;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
 
 import java.util.ArrayList;
 import java.util.List;
diff --git a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java
index 6294b68000..c9596d0d73 100755
--- a/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java
+++ b/saml/saml-protocol/src/main/java/org/keycloak/protocol/saml/mappers/UserPropertyAttributeStatementMapper.java
@@ -6,7 +6,7 @@ import org.keycloak.models.ProtocolMapperModel;
 import org.keycloak.models.UserModel;
 import org.keycloak.models.UserSessionModel;
 import org.keycloak.protocol.ProtocolMapperUtils;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
 
 import java.util.ArrayList;
 import java.util.List;
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerBasicTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerBasicTest.java
index b6a0210743..70cbc78aa6 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerBasicTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerBasicTest.java
@@ -9,11 +9,9 @@ import org.keycloak.models.UserModel;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.testsuite.rule.AbstractKeycloakRule;
 import org.keycloak.testutils.KeycloakServer;
-import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
-import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
-import org.picketlink.identity.federation.web.util.PostBindingUtil;
-
-import java.net.URLDecoder;
+import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.saml.processing.web.util.PostBindingUtil;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerWithSignatureTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerWithSignatureTest.java
index 8c2bb5d3aa..f052e3c6ca 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerWithSignatureTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/broker/SAMLKeyCloakServerBrokerWithSignatureTest.java
@@ -8,11 +8,9 @@ import org.keycloak.models.UserModel;
 import org.keycloak.services.managers.RealmManager;
 import org.keycloak.testsuite.rule.AbstractKeycloakRule;
 import org.keycloak.testutils.KeycloakServer;
-import org.picketlink.identity.federation.api.saml.v2.request.SAML2Request;
-import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
-import org.picketlink.identity.federation.web.util.PostBindingUtil;
-
-import java.net.URLDecoder;
+import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.saml.processing.web.util.PostBindingUtil;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
diff --git a/testsuite/integration/src/test/java/org/keycloak/testsuite/saml/SamlBindingTest.java b/testsuite/integration/src/test/java/org/keycloak/testsuite/saml/SamlBindingTest.java
index a8391aee54..126c465626 100755
--- a/testsuite/integration/src/test/java/org/keycloak/testsuite/saml/SamlBindingTest.java
+++ b/testsuite/integration/src/test/java/org/keycloak/testsuite/saml/SamlBindingTest.java
@@ -29,14 +29,14 @@ import org.keycloak.testsuite.rule.KeycloakRule;
 import org.keycloak.testsuite.rule.WebResource;
 import org.keycloak.testsuite.rule.WebRule;
 import org.openqa.selenium.WebDriver;
-import org.picketlink.common.constants.JBossSAMLURIConstants;
-import org.picketlink.identity.federation.api.saml.v2.response.SAML2Response;
-import org.picketlink.identity.federation.core.saml.v2.constants.X500SAMLProfileConstants;
-import org.picketlink.identity.federation.saml.v2.assertion.AssertionType;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeStatementType;
-import org.picketlink.identity.federation.saml.v2.assertion.AttributeType;
-import org.picketlink.identity.federation.saml.v2.protocol.ResponseType;
-import org.picketlink.identity.federation.web.util.PostBindingUtil;
+import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
+import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
+import org.keycloak.saml.processing.core.saml.v2.constants.X500SAMLProfileConstants;
+import org.keycloak.dom.saml.v2.assertion.AssertionType;
+import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
+import org.keycloak.dom.saml.v2.assertion.AttributeType;
+import org.keycloak.dom.saml.v2.protocol.ResponseType;
+import org.keycloak.saml.processing.web.util.PostBindingUtil;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;